1 /// -*- mode: asm; asm-comment-char: ?/ -*-
3 /// ARM crypto-extension-based implementation of Rijndael
5 /// (c) 2016 Straylight/Edgeware
8 ///----- Licensing notice ---------------------------------------------------
10 /// This file is part of Catacomb.
12 /// Catacomb is free software; you can redistribute it and/or modify
13 /// it under the terms of the GNU Library General Public License as
14 /// published by the Free Software Foundation; either version 2 of the
15 /// License, or (at your option) any later version.
17 /// Catacomb is distributed in the hope that it will be useful,
18 /// but WITHOUT ANY WARRANTY; without even the implied warranty of
19 /// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 /// GNU Library General Public License for more details.
22 /// You should have received a copy of the GNU Library General Public
23 /// License along with Catacomb; if not, write to the Free
24 /// Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 /// MA 02111-1307, USA.
27 ///--------------------------------------------------------------------------
28 /// External definitions.
31 #include "asm-common.h"
34 .globl F(rijndael_rcon)
36 ///--------------------------------------------------------------------------
40 .fpu crypto-neon-fp-armv8
42 /// The ARM crypto extension implements a little-endian version of AES
43 /// (though the manual doesn't actually spell this out and you have to
44 /// experiment), but Catacomb's internal interface presents as big-endian so
45 /// as to work better with things like GCM. We therefore maintain the round
46 /// keys in little-endian form, and have to end-swap blocks in and out.
48 /// For added amusement, the crypto extension doesn't implement the larger-
49 /// block versions of Rijndael, so we have to end-swap the keys if we're
50 /// preparing for one of those.
53 .equ maxrounds, 16 // maximum number of rounds
54 .equ maxblksz, 32 // maximum block size, in bytes
55 .equ kbufsz, maxblksz*(maxrounds + 1) // size of a key-schedule buffer
58 .equ nr, 0 // number of rounds
59 .equ w, nr + 4 // encryption key words
60 .equ wi, w + kbufsz // decryption key words
62 ///--------------------------------------------------------------------------
65 FUNC(rijndael_setup_arm_crypto)
68 // r0 = pointer to context
69 // r1 = block size in words
70 // r2 = pointer to key material
71 // r3 = key size in words
73 stmfd sp!, {r4-r9, r14}
75 // The initial round key material is taken directly from the input
76 // key, so copy it over. Unfortunately, the key material is not
77 // guaranteed to be aligned in any especially useful way, so we must
102 // Find out other useful things and prepare for the main loop.
103 ldr r7, [r0, #nr] // number of rounds
104 mla r2, r1, r7, r1 // total key size in words
105 ldr r4, [r9, #-4] // most recent key word
106 leaextq r5, rijndael_rcon // round constants
107 sub r8, r2, r3 // minus what we've copied already
108 veor q1, q1 // all-zero register for the key
109 add r8, r9, r8, lsl #2 // limit of the key buffer
111 // Main key expansion loop. The first word of each key-length chunk
112 // needs special treatment.
113 9: ldrb r14, [r5], #1 // next round constant
114 ldr r6, [r9, -r3, lsl #2]
116 aese.8 q0, q1 // effectively, just SubBytes
118 eor r4, r14, r4, ror #8
124 // The next three words are simple.
125 ldr r6, [r9, -r3, lsl #2]
132 ldr r6, [r9, -r3, lsl #2]
139 ldr r6, [r9, -r3, lsl #2]
145 // Word 4. If the key is /more/ than 6 words long, then we must
146 // apply a substitution here.
149 ldr r6, [r9, -r3, lsl #2]
153 aese.8 q0, q1 // effectively, just SubBytes
163 ldr r6, [r9, -r3, lsl #2]
172 ldr r6, [r9, -r3, lsl #2]
181 ldr r6, [r9, -r3, lsl #2]
187 // Must be done by now.
190 // Next job is to construct the decryption keys. The keys for the
191 // first and last rounds don't need to be mangled, but the remaining
192 // ones do -- and they all need to be reordered too.
194 // The plan of action, then, is to copy the final encryption round's
195 // keys into place first, then to do each of the intermediate rounds
196 // in reverse order, and finally do the first round.
198 // Do all the heavy lifting with NEON registers. The order we're
199 // doing this in means that it's OK if we read or write too much, and
200 // there's easily enough buffer space for the over-enthusiastic reads
201 // and writes because the context has space for 32-byte blocks, which
202 // is our maximum and an exact fit for two Q-class registers.
205 add r4, r4, r2, lsl #2
206 sub r4, r4, r1, lsl #2 // last round's keys
208 // Copy the last encryption round's keys.
210 vldmiaeq r4, {d0, d1}
212 vstmiaeq r5, {d0, d1}
215 // Update the loop variables and stop if we've finished.
216 9: sub r4, r4, r1, lsl #2
217 add r5, r5, r1, lsl #2
221 // Do another middle round's keys...
223 vldmiaeq r4, {d0, d1}
226 vstmiaeq r5, {d0, d1}
232 // Finally do the first encryption round.
234 vldmiaeq r4, {d0, d1}
236 vstmiaeq r5, {d0, d1}
239 // If the block size is not exactly four words then we must end-swap
240 // everything. We can use fancy NEON toys for this.
243 // End-swap the encryption keys.
247 // And the decryption keys
252 0: ldmfd sp!, {r4-r9, pc}
255 // End-swap R2 words starting at R1. R1 is clobbered; R2 is not.
256 // It's OK to work in 16-byte chunks.
258 0: vldmia r1, {d0, d1}
267 ///--------------------------------------------------------------------------
268 /// Encrypting and decrypting blocks.
270 FUNC(rijndael_eblk_arm_crypto)
273 // r0 = pointer to context
274 // r1 = pointer to input block
275 // r2 = pointer to output block
277 // Set things up ready.
283 // Dispatch according to the number of rounds.
284 add r3, r3, r3, lsl #1
286 addcs pc, pc, r3, lsl #2
289 // The last round doesn't have MixColumns, so do it separately.
311 FUNC(rijndael_dblk_arm_crypto)
314 // r0 = pointer to context
315 // r1 = pointer to input block
316 // r2 = pointer to output block
318 // Set things up ready.
324 // Dispatch according to the number of rounds.
325 add r3, r3, r3, lsl #1
327 addcs pc, pc, r3, lsl #2
330 // The last round doesn't have MixColumns, so do it separately.
352 ///----- That's all, folks --------------------------------------------------