1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * AES-NI + SSE2 implementation of AEGIS-128 4 * 5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com> 6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved. 7 */ 8 9#include <linux/linkage.h> 10#include <asm/frame.h> 11 12#define STATE0 %xmm0 13#define STATE1 %xmm1 14#define STATE2 %xmm2 15#define STATE3 %xmm3 16#define STATE4 %xmm4 17#define KEY %xmm5 18#define MSG %xmm5 19#define T0 %xmm6 20#define T1 %xmm7 21 22#define STATEP %rdi 23#define LEN %rsi 24#define SRC %rdx 25#define DST %rcx 26 27.section .rodata.cst16.aegis128_const, "aM", @progbits, 32 28.align 16 29.Laegis128_const_0: 30 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d 31 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62 32.Laegis128_const_1: 33 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1 34 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd 35 36.section .rodata.cst16.aegis128_counter, "aM", @progbits, 16 37.align 16 38.Laegis128_counter: 39 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 40 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f 41 42.text 43 44/* 45 * aegis128_update 46 * input: 47 * STATE[0-4] - input state 48 * output: 49 * STATE[0-4] - output state (shifted positions) 50 * changed: 51 * T0 52 */ 53.macro aegis128_update 54 movdqa STATE4, T0 55 aesenc STATE0, STATE4 56 aesenc STATE1, STATE0 57 aesenc STATE2, STATE1 58 aesenc STATE3, STATE2 59 aesenc T0, STATE3 60.endm 61 62/* 63 * __load_partial: internal ABI 64 * input: 65 * LEN - bytes 66 * SRC - src 67 * output: 68 * MSG - message block 69 * changed: 70 * T0 71 * %r8 72 * %r9 73 */ 74__load_partial: 75 xor %r9d, %r9d 76 pxor MSG, MSG 77 78 mov LEN, %r8 79 and $0x1, %r8 80 jz .Lld_partial_1 81 82 mov LEN, %r8 83 and $0x1E, %r8 84 add SRC, %r8 85 mov (%r8), %r9b 86 87.Lld_partial_1: 88 mov LEN, %r8 89 and $0x2, %r8 90 jz .Lld_partial_2 91 92 mov LEN, %r8 93 and $0x1C, %r8 94 add SRC, %r8 95 shl $0x10, %r9 96 mov (%r8), %r9w 97 98.Lld_partial_2: 99 mov LEN, %r8 100 and $0x4, %r8 101 jz .Lld_partial_4 102 103 mov LEN, %r8 104 and $0x18, %r8 105 add SRC, %r8 106 shl $32, %r9 107 mov (%r8), %r8d 108 xor %r8, %r9 109 110.Lld_partial_4: 111 movq %r9, MSG 112 113 mov LEN, %r8 114 and $0x8, %r8 115 jz .Lld_partial_8 116 117 mov LEN, %r8 118 and $0x10, %r8 119 add SRC, %r8 120 pslldq $8, MSG 121 movq (%r8), T0 122 pxor T0, MSG 123 124.Lld_partial_8: 125 ret 126ENDPROC(__load_partial) 127 128/* 129 * __store_partial: internal ABI 130 * input: 131 * LEN - bytes 132 * DST - dst 133 * output: 134 * T0 - message block 135 * changed: 136 * %r8 137 * %r9 138 * %r10 139 */ 140__store_partial: 141 mov LEN, %r8 142 mov DST, %r9 143 144 movq T0, %r10 145 146 cmp $8, %r8 147 jl .Lst_partial_8 148 149 mov %r10, (%r9) 150 psrldq $8, T0 151 movq T0, %r10 152 153 sub $8, %r8 154 add $8, %r9 155 156.Lst_partial_8: 157 cmp $4, %r8 158 jl .Lst_partial_4 159 160 mov %r10d, (%r9) 161 shr $32, %r10 162 163 sub $4, %r8 164 add $4, %r9 165 166.Lst_partial_4: 167 cmp $2, %r8 168 jl .Lst_partial_2 169 170 mov %r10w, (%r9) 171 shr $0x10, %r10 172 173 sub $2, %r8 174 add $2, %r9 175 176.Lst_partial_2: 177 cmp $1, %r8 178 jl .Lst_partial_1 179 180 mov %r10b, (%r9) 181 182.Lst_partial_1: 183 ret 184ENDPROC(__store_partial) 185 186/* 187 * void crypto_aegis128_aesni_init(void *state, const void *key, const void *iv); 188 */ 189ENTRY(crypto_aegis128_aesni_init) 190 FRAME_BEGIN 191 192 /* load IV: */ 193 movdqu (%rdx), T1 194 195 /* load key: */ 196 movdqa (%rsi), KEY 197 pxor KEY, T1 198 movdqa T1, STATE0 199 movdqa KEY, STATE3 200 movdqa KEY, STATE4 201 202 /* load the constants: */ 203 movdqa .Laegis128_const_0, STATE2 204 movdqa .Laegis128_const_1, STATE1 205 pxor STATE2, STATE3 206 pxor STATE1, STATE4 207 208 /* update 10 times with KEY / KEY xor IV: */ 209 aegis128_update; pxor KEY, STATE4 210 aegis128_update; pxor T1, STATE3 211 aegis128_update; pxor KEY, STATE2 212 aegis128_update; pxor T1, STATE1 213 aegis128_update; pxor KEY, STATE0 214 aegis128_update; pxor T1, STATE4 215 aegis128_update; pxor KEY, STATE3 216 aegis128_update; pxor T1, STATE2 217 aegis128_update; pxor KEY, STATE1 218 aegis128_update; pxor T1, STATE0 219 220 /* store the state: */ 221 movdqu STATE0, 0x00(STATEP) 222 movdqu STATE1, 0x10(STATEP) 223 movdqu STATE2, 0x20(STATEP) 224 movdqu STATE3, 0x30(STATEP) 225 movdqu STATE4, 0x40(STATEP) 226 227 FRAME_END 228 ret 229ENDPROC(crypto_aegis128_aesni_init) 230 231/* 232 * void crypto_aegis128_aesni_ad(void *state, unsigned int length, 233 * const void *data); 234 */ 235ENTRY(crypto_aegis128_aesni_ad) 236 FRAME_BEGIN 237 238 cmp $0x10, LEN 239 jb .Lad_out 240 241 /* load the state: */ 242 movdqu 0x00(STATEP), STATE0 243 movdqu 0x10(STATEP), STATE1 244 movdqu 0x20(STATEP), STATE2 245 movdqu 0x30(STATEP), STATE3 246 movdqu 0x40(STATEP), STATE4 247 248 mov SRC, %r8 249 and $0xF, %r8 250 jnz .Lad_u_loop 251 252.align 8 253.Lad_a_loop: 254 movdqa 0x00(SRC), MSG 255 aegis128_update 256 pxor MSG, STATE4 257 sub $0x10, LEN 258 cmp $0x10, LEN 259 jl .Lad_out_1 260 261 movdqa 0x10(SRC), MSG 262 aegis128_update 263 pxor MSG, STATE3 264 sub $0x10, LEN 265 cmp $0x10, LEN 266 jl .Lad_out_2 267 268 movdqa 0x20(SRC), MSG 269 aegis128_update 270 pxor MSG, STATE2 271 sub $0x10, LEN 272 cmp $0x10, LEN 273 jl .Lad_out_3 274 275 movdqa 0x30(SRC), MSG 276 aegis128_update 277 pxor MSG, STATE1 278 sub $0x10, LEN 279 cmp $0x10, LEN 280 jl .Lad_out_4 281 282 movdqa 0x40(SRC), MSG 283 aegis128_update 284 pxor MSG, STATE0 285 sub $0x10, LEN 286 cmp $0x10, LEN 287 jl .Lad_out_0 288 289 add $0x50, SRC 290 jmp .Lad_a_loop 291 292.align 8 293.Lad_u_loop: 294 movdqu 0x00(SRC), MSG 295 aegis128_update 296 pxor MSG, STATE4 297 sub $0x10, LEN 298 cmp $0x10, LEN 299 jl .Lad_out_1 300 301 movdqu 0x10(SRC), MSG 302 aegis128_update 303 pxor MSG, STATE3 304 sub $0x10, LEN 305 cmp $0x10, LEN 306 jl .Lad_out_2 307 308 movdqu 0x20(SRC), MSG 309 aegis128_update 310 pxor MSG, STATE2 311 sub $0x10, LEN 312 cmp $0x10, LEN 313 jl .Lad_out_3 314 315 movdqu 0x30(SRC), MSG 316 aegis128_update 317 pxor MSG, STATE1 318 sub $0x10, LEN 319 cmp $0x10, LEN 320 jl .Lad_out_4 321 322 movdqu 0x40(SRC), MSG 323 aegis128_update 324 pxor MSG, STATE0 325 sub $0x10, LEN 326 cmp $0x10, LEN 327 jl .Lad_out_0 328 329 add $0x50, SRC 330 jmp .Lad_u_loop 331 332 /* store the state: */ 333.Lad_out_0: 334 movdqu STATE0, 0x00(STATEP) 335 movdqu STATE1, 0x10(STATEP) 336 movdqu STATE2, 0x20(STATEP) 337 movdqu STATE3, 0x30(STATEP) 338 movdqu STATE4, 0x40(STATEP) 339 FRAME_END 340 ret 341 342.Lad_out_1: 343 movdqu STATE4, 0x00(STATEP) 344 movdqu STATE0, 0x10(STATEP) 345 movdqu STATE1, 0x20(STATEP) 346 movdqu STATE2, 0x30(STATEP) 347 movdqu STATE3, 0x40(STATEP) 348 FRAME_END 349 ret 350 351.Lad_out_2: 352 movdqu STATE3, 0x00(STATEP) 353 movdqu STATE4, 0x10(STATEP) 354 movdqu STATE0, 0x20(STATEP) 355 movdqu STATE1, 0x30(STATEP) 356 movdqu STATE2, 0x40(STATEP) 357 FRAME_END 358 ret 359 360.Lad_out_3: 361 movdqu STATE2, 0x00(STATEP) 362 movdqu STATE3, 0x10(STATEP) 363 movdqu STATE4, 0x20(STATEP) 364 movdqu STATE0, 0x30(STATEP) 365 movdqu STATE1, 0x40(STATEP) 366 FRAME_END 367 ret 368 369.Lad_out_4: 370 movdqu STATE1, 0x00(STATEP) 371 movdqu STATE2, 0x10(STATEP) 372 movdqu STATE3, 0x20(STATEP) 373 movdqu STATE4, 0x30(STATEP) 374 movdqu STATE0, 0x40(STATEP) 375 FRAME_END 376 ret 377 378.Lad_out: 379 FRAME_END 380 ret 381ENDPROC(crypto_aegis128_aesni_ad) 382 383.macro encrypt_block a s0 s1 s2 s3 s4 i 384 movdq\a (\i * 0x10)(SRC), MSG 385 movdqa MSG, T0 386 pxor \s1, T0 387 pxor \s4, T0 388 movdqa \s2, T1 389 pand \s3, T1 390 pxor T1, T0 391 movdq\a T0, (\i * 0x10)(DST) 392 393 aegis128_update 394 pxor MSG, \s4 395 396 sub $0x10, LEN 397 cmp $0x10, LEN 398 jl .Lenc_out_\i 399.endm 400 401/* 402 * void crypto_aegis128_aesni_enc(void *state, unsigned int length, 403 * const void *src, void *dst); 404 */ 405ENTRY(crypto_aegis128_aesni_enc) 406 FRAME_BEGIN 407 408 cmp $0x10, LEN 409 jb .Lenc_out 410 411 /* load the state: */ 412 movdqu 0x00(STATEP), STATE0 413 movdqu 0x10(STATEP), STATE1 414 movdqu 0x20(STATEP), STATE2 415 movdqu 0x30(STATEP), STATE3 416 movdqu 0x40(STATEP), STATE4 417 418 mov SRC, %r8 419 or DST, %r8 420 and $0xF, %r8 421 jnz .Lenc_u_loop 422 423.align 8 424.Lenc_a_loop: 425 encrypt_block a STATE0 STATE1 STATE2 STATE3 STATE4 0 426 encrypt_block a STATE4 STATE0 STATE1 STATE2 STATE3 1 427 encrypt_block a STATE3 STATE4 STATE0 STATE1 STATE2 2 428 encrypt_block a STATE2 STATE3 STATE4 STATE0 STATE1 3 429 encrypt_block a STATE1 STATE2 STATE3 STATE4 STATE0 4 430 431 add $0x50, SRC 432 add $0x50, DST 433 jmp .Lenc_a_loop 434 435.align 8 436.Lenc_u_loop: 437 encrypt_block u STATE0 STATE1 STATE2 STATE3 STATE4 0 438 encrypt_block u STATE4 STATE0 STATE1 STATE2 STATE3 1 439 encrypt_block u STATE3 STATE4 STATE0 STATE1 STATE2 2 440 encrypt_block u STATE2 STATE3 STATE4 STATE0 STATE1 3 441 encrypt_block u STATE1 STATE2 STATE3 STATE4 STATE0 4 442 443 add $0x50, SRC 444 add $0x50, DST 445 jmp .Lenc_u_loop 446 447 /* store the state: */ 448.Lenc_out_0: 449 movdqu STATE4, 0x00(STATEP) 450 movdqu STATE0, 0x10(STATEP) 451 movdqu STATE1, 0x20(STATEP) 452 movdqu STATE2, 0x30(STATEP) 453 movdqu STATE3, 0x40(STATEP) 454 FRAME_END 455 ret 456 457.Lenc_out_1: 458 movdqu STATE3, 0x00(STATEP) 459 movdqu STATE4, 0x10(STATEP) 460 movdqu STATE0, 0x20(STATEP) 461 movdqu STATE1, 0x30(STATEP) 462 movdqu STATE2, 0x40(STATEP) 463 FRAME_END 464 ret 465 466.Lenc_out_2: 467 movdqu STATE2, 0x00(STATEP) 468 movdqu STATE3, 0x10(STATEP) 469 movdqu STATE4, 0x20(STATEP) 470 movdqu STATE0, 0x30(STATEP) 471 movdqu STATE1, 0x40(STATEP) 472 FRAME_END 473 ret 474 475.Lenc_out_3: 476 movdqu STATE1, 0x00(STATEP) 477 movdqu STATE2, 0x10(STATEP) 478 movdqu STATE3, 0x20(STATEP) 479 movdqu STATE4, 0x30(STATEP) 480 movdqu STATE0, 0x40(STATEP) 481 FRAME_END 482 ret 483 484.Lenc_out_4: 485 movdqu STATE0, 0x00(STATEP) 486 movdqu STATE1, 0x10(STATEP) 487 movdqu STATE2, 0x20(STATEP) 488 movdqu STATE3, 0x30(STATEP) 489 movdqu STATE4, 0x40(STATEP) 490 FRAME_END 491 ret 492 493.Lenc_out: 494 FRAME_END 495 ret 496ENDPROC(crypto_aegis128_aesni_enc) 497 498/* 499 * void crypto_aegis128_aesni_enc_tail(void *state, unsigned int length, 500 * const void *src, void *dst); 501 */ 502ENTRY(crypto_aegis128_aesni_enc_tail) 503 FRAME_BEGIN 504 505 /* load the state: */ 506 movdqu 0x00(STATEP), STATE0 507 movdqu 0x10(STATEP), STATE1 508 movdqu 0x20(STATEP), STATE2 509 movdqu 0x30(STATEP), STATE3 510 movdqu 0x40(STATEP), STATE4 511 512 /* encrypt message: */ 513 call __load_partial 514 515 movdqa MSG, T0 516 pxor STATE1, T0 517 pxor STATE4, T0 518 movdqa STATE2, T1 519 pand STATE3, T1 520 pxor T1, T0 521 522 call __store_partial 523 524 aegis128_update 525 pxor MSG, STATE4 526 527 /* store the state: */ 528 movdqu STATE4, 0x00(STATEP) 529 movdqu STATE0, 0x10(STATEP) 530 movdqu STATE1, 0x20(STATEP) 531 movdqu STATE2, 0x30(STATEP) 532 movdqu STATE3, 0x40(STATEP) 533 534 FRAME_END 535 ret 536ENDPROC(crypto_aegis128_aesni_enc_tail) 537 538.macro decrypt_block a s0 s1 s2 s3 s4 i 539 movdq\a (\i * 0x10)(SRC), MSG 540 pxor \s1, MSG 541 pxor \s4, MSG 542 movdqa \s2, T1 543 pand \s3, T1 544 pxor T1, MSG 545 movdq\a MSG, (\i * 0x10)(DST) 546 547 aegis128_update 548 pxor MSG, \s4 549 550 sub $0x10, LEN 551 cmp $0x10, LEN 552 jl .Ldec_out_\i 553.endm 554 555/* 556 * void crypto_aegis128_aesni_dec(void *state, unsigned int length, 557 * const void *src, void *dst); 558 */ 559ENTRY(crypto_aegis128_aesni_dec) 560 FRAME_BEGIN 561 562 cmp $0x10, LEN 563 jb .Ldec_out 564 565 /* load the state: */ 566 movdqu 0x00(STATEP), STATE0 567 movdqu 0x10(STATEP), STATE1 568 movdqu 0x20(STATEP), STATE2 569 movdqu 0x30(STATEP), STATE3 570 movdqu 0x40(STATEP), STATE4 571 572 mov SRC, %r8 573 or DST, %r8 574 and $0xF, %r8 575 jnz .Ldec_u_loop 576 577.align 8 578.Ldec_a_loop: 579 decrypt_block a STATE0 STATE1 STATE2 STATE3 STATE4 0 580 decrypt_block a STATE4 STATE0 STATE1 STATE2 STATE3 1 581 decrypt_block a STATE3 STATE4 STATE0 STATE1 STATE2 2 582 decrypt_block a STATE2 STATE3 STATE4 STATE0 STATE1 3 583 decrypt_block a STATE1 STATE2 STATE3 STATE4 STATE0 4 584 585 add $0x50, SRC 586 add $0x50, DST 587 jmp .Ldec_a_loop 588 589.align 8 590.Ldec_u_loop: 591 decrypt_block u STATE0 STATE1 STATE2 STATE3 STATE4 0 592 decrypt_block u STATE4 STATE0 STATE1 STATE2 STATE3 1 593 decrypt_block u STATE3 STATE4 STATE0 STATE1 STATE2 2 594 decrypt_block u STATE2 STATE3 STATE4 STATE0 STATE1 3 595 decrypt_block u STATE1 STATE2 STATE3 STATE4 STATE0 4 596 597 add $0x50, SRC 598 add $0x50, DST 599 jmp .Ldec_u_loop 600 601 /* store the state: */ 602.Ldec_out_0: 603 movdqu STATE4, 0x00(STATEP) 604 movdqu STATE0, 0x10(STATEP) 605 movdqu STATE1, 0x20(STATEP) 606 movdqu STATE2, 0x30(STATEP) 607 movdqu STATE3, 0x40(STATEP) 608 FRAME_END 609 ret 610 611.Ldec_out_1: 612 movdqu STATE3, 0x00(STATEP) 613 movdqu STATE4, 0x10(STATEP) 614 movdqu STATE0, 0x20(STATEP) 615 movdqu STATE1, 0x30(STATEP) 616 movdqu STATE2, 0x40(STATEP) 617 FRAME_END 618 ret 619 620.Ldec_out_2: 621 movdqu STATE2, 0x00(STATEP) 622 movdqu STATE3, 0x10(STATEP) 623 movdqu STATE4, 0x20(STATEP) 624 movdqu STATE0, 0x30(STATEP) 625 movdqu STATE1, 0x40(STATEP) 626 FRAME_END 627 ret 628 629.Ldec_out_3: 630 movdqu STATE1, 0x00(STATEP) 631 movdqu STATE2, 0x10(STATEP) 632 movdqu STATE3, 0x20(STATEP) 633 movdqu STATE4, 0x30(STATEP) 634 movdqu STATE0, 0x40(STATEP) 635 FRAME_END 636 ret 637 638.Ldec_out_4: 639 movdqu STATE0, 0x00(STATEP) 640 movdqu STATE1, 0x10(STATEP) 641 movdqu STATE2, 0x20(STATEP) 642 movdqu STATE3, 0x30(STATEP) 643 movdqu STATE4, 0x40(STATEP) 644 FRAME_END 645 ret 646 647.Ldec_out: 648 FRAME_END 649 ret 650ENDPROC(crypto_aegis128_aesni_dec) 651 652/* 653 * void crypto_aegis128_aesni_dec_tail(void *state, unsigned int length, 654 * const void *src, void *dst); 655 */ 656ENTRY(crypto_aegis128_aesni_dec_tail) 657 FRAME_BEGIN 658 659 /* load the state: */ 660 movdqu 0x00(STATEP), STATE0 661 movdqu 0x10(STATEP), STATE1 662 movdqu 0x20(STATEP), STATE2 663 movdqu 0x30(STATEP), STATE3 664 movdqu 0x40(STATEP), STATE4 665 666 /* decrypt message: */ 667 call __load_partial 668 669 pxor STATE1, MSG 670 pxor STATE4, MSG 671 movdqa STATE2, T1 672 pand STATE3, T1 673 pxor T1, MSG 674 675 movdqa MSG, T0 676 call __store_partial 677 678 /* mask with byte count: */ 679 movq LEN, T0 680 punpcklbw T0, T0 681 punpcklbw T0, T0 682 punpcklbw T0, T0 683 punpcklbw T0, T0 684 movdqa .Laegis128_counter, T1 685 pcmpgtb T1, T0 686 pand T0, MSG 687 688 aegis128_update 689 pxor MSG, STATE4 690 691 /* store the state: */ 692 movdqu STATE4, 0x00(STATEP) 693 movdqu STATE0, 0x10(STATEP) 694 movdqu STATE1, 0x20(STATEP) 695 movdqu STATE2, 0x30(STATEP) 696 movdqu STATE3, 0x40(STATEP) 697 698 FRAME_END 699 ret 700ENDPROC(crypto_aegis128_aesni_dec_tail) 701 702/* 703 * void crypto_aegis128_aesni_final(void *state, void *tag_xor, 704 * u64 assoclen, u64 cryptlen); 705 */ 706ENTRY(crypto_aegis128_aesni_final) 707 FRAME_BEGIN 708 709 /* load the state: */ 710 movdqu 0x00(STATEP), STATE0 711 movdqu 0x10(STATEP), STATE1 712 movdqu 0x20(STATEP), STATE2 713 movdqu 0x30(STATEP), STATE3 714 movdqu 0x40(STATEP), STATE4 715 716 /* prepare length block: */ 717 movq %rdx, MSG 718 movq %rcx, T0 719 pslldq $8, T0 720 pxor T0, MSG 721 psllq $3, MSG /* multiply by 8 (to get bit count) */ 722 723 pxor STATE3, MSG 724 725 /* update state: */ 726 aegis128_update; pxor MSG, STATE4 727 aegis128_update; pxor MSG, STATE3 728 aegis128_update; pxor MSG, STATE2 729 aegis128_update; pxor MSG, STATE1 730 aegis128_update; pxor MSG, STATE0 731 aegis128_update; pxor MSG, STATE4 732 aegis128_update; pxor MSG, STATE3 733 734 /* xor tag: */ 735 movdqu (%rsi), MSG 736 737 pxor STATE0, MSG 738 pxor STATE1, MSG 739 pxor STATE2, MSG 740 pxor STATE3, MSG 741 pxor STATE4, MSG 742 743 movdqu MSG, (%rsi) 744 745 FRAME_END 746 ret 747ENDPROC(crypto_aegis128_aesni_final) 748