Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
linux_kernel
/
arch
/
arm
/
crypto
/
ghash-ce-core.S

ghash-ce-core.S 6.9 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340 
  1. /*
    2. 

  2.  * Accelerated GHASH implementation with NEON/ARMv8 vmull.p8/64 instructions.
    3. 

  3.  *
    4. 

  4.  * Copyright (C) 2015 - 2017 Linaro Ltd. <ard.biesheuvel@linaro.org>
    5. 

  5.  *
    6. 

  6.  * This program is free software; you can redistribute it and/or modify it
    7. 

  7.  * under the terms of the GNU General Public License version 2 as published
    8. 

  8.  * by the Free Software Foundation.
    9. 

  9.  */
    10. 

  10. 

  11. #include <linux/linkage.h>
    12. 

  12. #include <asm/assembler.h>
    13. 

  13. 

  14. 	SHASH		.req	q0
    15. 

  15. 	T1		.req	q1
    16. 

  16. 	XL		.req	q2
    17. 

  17. 	XM		.req	q3
    18. 

  18. 	XH		.req	q4
    19. 

  19. 	IN1		.req	q4
    20. 

  20. 

  21. 	SHASH_L		.req	d0
    22. 

  22. 	SHASH_H		.req	d1
    23. 

  23. 	T1_L		.req	d2
    24. 

  24. 	T1_H		.req	d3
    25. 

  25. 	XL_L		.req	d4
    26. 

  26. 	XL_H		.req	d5
    27. 

  27. 	XM_L		.req	d6
    28. 

  28. 	XM_H		.req	d7
    29. 

  29. 	XH_L		.req	d8
    30. 

  30. 

  31. 	t0l		.req	d10
    32. 

  32. 	t0h		.req	d11
    33. 

  33. 	t1l		.req	d12
    34. 

  34. 	t1h		.req	d13
    35. 

  35. 	t2l		.req	d14
    36. 

  36. 	t2h		.req	d15
    37. 

  37. 	t3l		.req	d16
    38. 

  38. 	t3h		.req	d17
    39. 

  39. 	t4l		.req	d18
    40. 

  40. 	t4h		.req	d19
    41. 

  41. 

  42. 	t0q		.req	q5
    43. 

  43. 	t1q		.req	q6
    44. 

  44. 	t2q		.req	q7
    45. 

  45. 	t3q		.req	q8
    46. 

  46. 	t4q		.req	q9
    47. 

  47. 	T2		.req	q9
    48. 

  48. 

  49. 	s1l		.req	d20
    50. 

  50. 	s1h		.req	d21
    51. 

  51. 	s2l		.req	d22
    52. 

  52. 	s2h		.req	d23
    53. 

  53. 	s3l		.req	d24
    54. 

  54. 	s3h		.req	d25
    55. 

  55. 	s4l		.req	d26
    56. 

  56. 	s4h		.req	d27
    57. 

  57. 

  58. 	MASK		.req	d28
    59. 

  59. 	SHASH2_p8	.req	d28
    60. 

  60. 

  61. 	k16		.req	d29
    62. 

  62. 	k32		.req	d30
    63. 

  63. 	k48		.req	d31
    64. 

  64. 	SHASH2_p64	.req	d31
    65. 

  65. 

  66. 	HH		.req	q10
    67. 

  67. 	HH3		.req	q11
    68. 

  68. 	HH4		.req	q12
    69. 

  69. 	HH34		.req	q13
    70. 

  70. 

  71. 	HH_L		.req	d20
    72. 

  72. 	HH_H		.req	d21
    73. 

  73. 	HH3_L		.req	d22
    74. 

  74. 	HH3_H		.req	d23
    75. 

  75. 	HH4_L		.req	d24
    76. 

  76. 	HH4_H		.req	d25
    77. 

  77. 	HH34_L		.req	d26
    78. 

  78. 	HH34_H		.req	d27
    79. 

  79. 	SHASH2_H	.req	d29
    80. 

  80. 

  81. 	XL2		.req	q5
    82. 

  82. 	XM2		.req	q6
    83. 

  83. 	XH2		.req	q7
    84. 

  84. 	T3		.req	q8
    85. 

  85. 

  86. 	XL2_L		.req	d10
    87. 

  87. 	XL2_H		.req	d11
    88. 

  88. 	XM2_L		.req	d12
    89. 

  89. 	XM2_H		.req	d13
    90. 

  90. 	T3_L		.req	d16
    91. 

  91. 	T3_H		.req	d17
    92. 

  92. 

  93. 	.text
    94. 

  94. 	.fpu		crypto-neon-fp-armv8
    95. 

  95. 

  96. 	.macro		__pmull_p64, rd, rn, rm, b1, b2, b3, b4
    97. 

  97. 	vmull.p64	\rd, \rn, \rm
    98. 

  98. 	.endm
    99. 

  99. 

  100. 	/*
    101. 

  101. 	 * This implementation of 64x64 -> 128 bit polynomial multiplication
    102. 

  102. 	 * using vmull.p8 instructions (8x8 -> 16) is taken from the paper
    103. 

  103. 	 * "Fast Software Polynomial Multiplication on ARM Processors Using
    104. 

  104. 	 * the NEON Engine" by Danilo Camara, Conrado Gouvea, Julio Lopez and
    105. 

  105. 	 * Ricardo Dahab (https://hal.inria.fr/hal-01506572)
    106. 

  106. 	 *
    107. 

  107. 	 * It has been slightly tweaked for in-order performance, and to allow
    108. 

  108. 	 * 'rq' to overlap with 'ad' or 'bd'.
    109. 

  109. 	 */
    110. 

  110. 	.macro		__pmull_p8, rq, ad, bd, b1=t4l, b2=t3l, b3=t4l, b4=t3l
    111. 

  111. 	vext.8		t0l, \ad, \ad, #1	@ A1
    112. 

  112. 	.ifc		\b1, t4l
    113. 

  113. 	vext.8		t4l, \bd, \bd, #1	@ B1
    114. 

  114. 	.endif
    115. 

  115. 	vmull.p8	t0q, t0l, \bd		@ F = A1*B
    116. 

  116. 	vext.8		t1l, \ad, \ad, #2	@ A2
    117. 

  117. 	vmull.p8	t4q, \ad, \b1		@ E = A*B1
    118. 

  118. 	.ifc		\b2, t3l
    119. 

  119. 	vext.8		t3l, \bd, \bd, #2	@ B2
    120. 

  120. 	.endif
    121. 

  121. 	vmull.p8	t1q, t1l, \bd		@ H = A2*B
    122. 

  122. 	vext.8		t2l, \ad, \ad, #3	@ A3
    123. 

  123. 	vmull.p8	t3q, \ad, \b2		@ G = A*B2
    124. 

  124. 	veor		t0q, t0q, t4q		@ L = E + F
    125. 

  125. 	.ifc		\b3, t4l
    126. 

  126. 	vext.8		t4l, \bd, \bd, #3	@ B3
    127. 

  127. 	.endif
    128. 

  128. 	vmull.p8	t2q, t2l, \bd		@ J = A3*B
    129. 

  129. 	veor		t0l, t0l, t0h		@ t0 = (L) (P0 + P1) << 8
    130. 

  130. 	veor		t1q, t1q, t3q		@ M = G + H
    131. 

  131. 	.ifc		\b4, t3l
    132. 

  132. 	vext.8		t3l, \bd, \bd, #4	@ B4
    133. 

  133. 	.endif
    134. 

  134. 	vmull.p8	t4q, \ad, \b3		@ I = A*B3
    135. 

  135. 	veor		t1l, t1l, t1h		@ t1 = (M) (P2 + P3) << 16
    136. 

  136. 	vmull.p8	t3q, \ad, \b4		@ K = A*B4
    137. 

  137. 	vand		t0h, t0h, k48
    138. 

  138. 	vand		t1h, t1h, k32
    139. 

  139. 	veor		t2q, t2q, t4q		@ N = I + J
    140. 

  140. 	veor		t0l, t0l, t0h
    141. 

  141. 	veor		t1l, t1l, t1h
    142. 

  142. 	veor		t2l, t2l, t2h		@ t2 = (N) (P4 + P5) << 24
    143. 

  143. 	vand		t2h, t2h, k16
    144. 

  144. 	veor		t3l, t3l, t3h		@ t3 = (K) (P6 + P7) << 32
    145. 

  145. 	vmov.i64	t3h, #0
    146. 

  146. 	vext.8		t0q, t0q, t0q, #15
    147. 

  147. 	veor		t2l, t2l, t2h
    148. 

  148. 	vext.8		t1q, t1q, t1q, #14
    149. 

  149. 	vmull.p8	\rq, \ad, \bd		@ D = A*B
    150. 

  150. 	vext.8		t2q, t2q, t2q, #13
    151. 

  151. 	vext.8		t3q, t3q, t3q, #12
    152. 

  152. 	veor		t0q, t0q, t1q
    153. 

  153. 	veor		t2q, t2q, t3q
    154. 

  154. 	veor		\rq, \rq, t0q
    155. 

  155. 	veor		\rq, \rq, t2q
    156. 

  156. 	.endm
    157. 

  157. 

  158. 	//
    159. 

  159. 	// PMULL (64x64->128) based reduction for CPUs that can do
    160. 

  160. 	// it in a single instruction.
    161. 

  161. 	//
    162. 

  162. 	.macro		__pmull_reduce_p64
    163. 

  163. 	vmull.p64	T1, XL_L, MASK
    164. 

  164. 

  165. 	veor		XH_L, XH_L, XM_H
    166. 

  166. 	vext.8		T1, T1, T1, #8
    167. 

  167. 	veor		XL_H, XL_H, XM_L
    168. 

  168. 	veor		T1, T1, XL
    169. 

  169. 

  170. 	vmull.p64	XL, T1_H, MASK
    171. 

  171. 	.endm
    172. 

  172. 

  173. 	//
    174. 

  174. 	// Alternative reduction for CPUs that lack support for the
    175. 

  175. 	// 64x64->128 PMULL instruction
    176. 

  176. 	//
    177. 

  177. 	.macro		__pmull_reduce_p8
    178. 

  178. 	veor		XL_H, XL_H, XM_L
    179. 

  179. 	veor		XH_L, XH_L, XM_H
    180. 

  180. 

  181. 	vshl.i64	T1, XL, #57
    182. 

  182. 	vshl.i64	T2, XL, #62
    183. 

  183. 	veor		T1, T1, T2
    184. 

  184. 	vshl.i64	T2, XL, #63
    185. 

  185. 	veor		T1, T1, T2
    186. 

  186. 	veor		XL_H, XL_H, T1_L
    187. 

  187. 	veor		XH_L, XH_L, T1_H
    188. 

  188. 

  189. 	vshr.u64	T1, XL, #1
    190. 

  190. 	veor		XH, XH, XL
    191. 

  191. 	veor		XL, XL, T1
    192. 

  192. 	vshr.u64	T1, T1, #6
    193. 

  193. 	vshr.u64	XL, XL, #1
    194. 

  194. 	.endm
    195. 

  195. 

  196. 	.macro		ghash_update, pn
    197. 

  197. 	vld1.64		{XL}, [r1]
    198. 

  198. 

  199. 	/* do the head block first, if supplied */
    200. 

  200. 	ldr		ip, [sp]
    201. 

  201. 	teq		ip, #0
    202. 

  202. 	beq		0f
    203. 

  203. 	vld1.64		{T1}, [ip]
    204. 

  204. 	teq		r0, #0
    205. 

  205. 	b		3f
    206. 

  206. 

  207. 0:	.ifc		\pn, p64
    208. 

  208. 	tst		r0, #3			// skip until #blocks is a
    209. 

  209. 	bne		2f			// round multiple of 4
    210. 

  210. 

  211. 	vld1.8		{XL2-XM2}, [r2]!
    212. 

  212. 1:	vld1.8		{T3-T2}, [r2]!
    213. 

  213. 	vrev64.8	XL2, XL2
    214. 

  214. 	vrev64.8	XM2, XM2
    215. 

  215. 

  216. 	subs		r0, r0, #4
    217. 

  217. 

  218. 	vext.8		T1, XL2, XL2, #8
    219. 

  219. 	veor		XL2_H, XL2_H, XL_L
    220. 

  220. 	veor		XL, XL, T1
    221. 

  221. 

  222. 	vrev64.8	T3, T3
    223. 

  223. 	vrev64.8	T1, T2
    224. 

  224. 

  225. 	vmull.p64	XH, HH4_H, XL_H			// a1 * b1
    226. 

  226. 	veor		XL2_H, XL2_H, XL_H
    227. 

  227. 	vmull.p64	XL, HH4_L, XL_L			// a0 * b0
    228. 

  228. 	vmull.p64	XM, HH34_H, XL2_H		// (a1 + a0)(b1 + b0)
    229. 

  229. 

  230. 	vmull.p64	XH2, HH3_H, XM2_L		// a1 * b1
    231. 

  231. 	veor		XM2_L, XM2_L, XM2_H
    232. 

  232. 	vmull.p64	XL2, HH3_L, XM2_H		// a0 * b0
    233. 

  233. 	vmull.p64	XM2, HH34_L, XM2_L		// (a1 + a0)(b1 + b0)
    234. 

  234. 

  235. 	veor		XH, XH, XH2
    236. 

  236. 	veor		XL, XL, XL2
    237. 

  237. 	veor		XM, XM, XM2
    238. 

  238. 

  239. 	vmull.p64	XH2, HH_H, T3_L			// a1 * b1
    240. 

  240. 	veor		T3_L, T3_L, T3_H
    241. 

  241. 	vmull.p64	XL2, HH_L, T3_H			// a0 * b0
    242. 

  242. 	vmull.p64	XM2, SHASH2_H, T3_L		// (a1 + a0)(b1 + b0)
    243. 

  243. 

  244. 	veor		XH, XH, XH2
    245. 

  245. 	veor		XL, XL, XL2
    246. 

  246. 	veor		XM, XM, XM2
    247. 

  247. 

  248. 	vmull.p64	XH2, SHASH_H, T1_L		// a1 * b1
    249. 

  249. 	veor		T1_L, T1_L, T1_H
    250. 

  250. 	vmull.p64	XL2, SHASH_L, T1_H		// a0 * b0
    251. 

  251. 	vmull.p64	XM2, SHASH2_p64, T1_L		// (a1 + a0)(b1 + b0)
    252. 

  252. 

  253. 	veor		XH, XH, XH2
    254. 

  254. 	veor		XL, XL, XL2
    255. 

  255. 	veor		XM, XM, XM2
    256. 

  256. 

  257. 	beq		4f
    258. 

  258. 

  259. 	vld1.8		{XL2-XM2}, [r2]!
    260. 

  260. 

  261. 	veor		T1, XL, XH
    262. 

  262. 	veor		XM, XM, T1
    263. 

  263. 

  264. 	__pmull_reduce_p64
    265. 

  265. 

  266. 	veor		T1, T1, XH
    267. 

  267. 	veor		XL, XL, T1
    268. 

  268. 

  269. 	b		1b
    270. 

  270. 	.endif
    271. 

  271. 

  272. 2:	vld1.64		{T1}, [r2]!
    273. 

  273. 	subs		r0, r0, #1
    274. 

  274. 

  275. 3:	/* multiply XL by SHASH in GF(2^128) */
    276. 

  276. #ifndef CONFIG_CPU_BIG_ENDIAN
    277. 

  277. 	vrev64.8	T1, T1
    278. 

  278. #endif
    279. 

  279. 	vext.8		IN1, T1, T1, #8
    280. 

  280. 	veor		T1_L, T1_L, XL_H
    281. 

  281. 	veor		XL, XL, IN1
    282. 

  282. 

  283. 	__pmull_\pn	XH, XL_H, SHASH_H, s1h, s2h, s3h, s4h	@ a1 * b1
    284. 

  284. 	veor		T1, T1, XL
    285. 

  285. 	__pmull_\pn	XL, XL_L, SHASH_L, s1l, s2l, s3l, s4l	@ a0 * b0
    286. 

  286. 	__pmull_\pn	XM, T1_L, SHASH2_\pn			@ (a1+a0)(b1+b0)
    287. 

  287. 

  288. 4:	veor		T1, XL, XH
    289. 

  289. 	veor		XM, XM, T1
    290. 

  290. 

  291. 	__pmull_reduce_\pn
    292. 

  292. 

  293. 	veor		T1, T1, XH
    294. 

  294. 	veor		XL, XL, T1
    295. 

  295. 

  296. 	bne		0b
    297. 

  297. 

  298. 	vst1.64		{XL}, [r1]
    299. 

  299. 	bx		lr
    300. 

  300. 	.endm
    301. 

  301. 

  302. 	/*
    303. 

  303. 	 * void pmull_ghash_update(int blocks, u64 dg[], const char *src,
    304. 

  304. 	 *			   struct ghash_key const *k, const char *head)
    305. 

  305. 	 */
    306. 

  306. ENTRY(pmull_ghash_update_p64)
    307. 

  307. 	vld1.64		{SHASH}, [r3]!
    308. 

  308. 	vld1.64		{HH}, [r3]!
    309. 

  309. 	vld1.64		{HH3-HH4}, [r3]
    310. 

  310. 

  311. 	veor		SHASH2_p64, SHASH_L, SHASH_H
    312. 

  312. 	veor		SHASH2_H, HH_L, HH_H
    313. 

  313. 	veor		HH34_L, HH3_L, HH3_H
    314. 

  314. 	veor		HH34_H, HH4_L, HH4_H
    315. 

  315. 

  316. 	vmov.i8		MASK, #0xe1
    317. 

  317. 	vshl.u64	MASK, MASK, #57
    318. 

  318. 

  319. 	ghash_update	p64
    320. 

  320. ENDPROC(pmull_ghash_update_p64)
    321. 

  321. 

  322. ENTRY(pmull_ghash_update_p8)
    323. 

  323. 	vld1.64		{SHASH}, [r3]
    324. 

  324. 	veor		SHASH2_p8, SHASH_L, SHASH_H
    325. 

  325. 

  326. 	vext.8		s1l, SHASH_L, SHASH_L, #1
    327. 

  327. 	vext.8		s2l, SHASH_L, SHASH_L, #2
    328. 

  328. 	vext.8		s3l, SHASH_L, SHASH_L, #3
    329. 

  329. 	vext.8		s4l, SHASH_L, SHASH_L, #4
    330. 

  330. 	vext.8		s1h, SHASH_H, SHASH_H, #1
    331. 

  331. 	vext.8		s2h, SHASH_H, SHASH_H, #2
    332. 

  332. 	vext.8		s3h, SHASH_H, SHASH_H, #3
    333. 

  333. 	vext.8		s4h, SHASH_H, SHASH_H, #4
    334. 

  334. 

  335. 	vmov.i64	k16, #0xffff
    336. 

  336. 	vmov.i64	k32, #0xffffffff
    337. 

  337. 	vmov.i64	k48, #0xffffffffffff
    338. 

  338. 

  339. 	ghash_update	p8
    340. 

  340. ENDPROC(pmull_ghash_update_p8)
    341.