~mdw / catacomb / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
symm/rijndael-arm-crypto.S (rijndael_setup_arm_crypto): Avoid reload.
[catacomb] / symm / rijndael-arm-crypto.S
1 /// -*- mode: asm; asm-comment-char: ?/ -*-
2 ///
3 /// ARM crypto-extension-based implementation of Rijndael
4 ///
5 /// (c) 2016 Straylight/Edgeware
6 ///
7
8 ///----- Licensing notice ---------------------------------------------------
9 ///
10 /// This file is part of Catacomb.
11 ///
12 /// Catacomb is free software; you can redistribute it and/or modify
13 /// it under the terms of the GNU Library General Public License as
14 /// published by the Free Software Foundation; either version 2 of the
15 /// License, or (at your option) any later version.
16 ///
17 /// Catacomb is distributed in the hope that it will be useful,
18 /// but WITHOUT ANY WARRANTY; without even the implied warranty of
19 /// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 /// GNU Library General Public License for more details.
21 ///
22 /// You should have received a copy of the GNU Library General Public
23 /// License along with Catacomb; if not, write to the Free
24 /// Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 /// MA 02111-1307, USA.
26
27 ///--------------------------------------------------------------------------
28 /// External definitions.
29
30 #include "config.h"
31 #include "asm-common.h"
32
33 .globl F(abort)
34 .globl F(rijndael_rcon)
35
36 ///--------------------------------------------------------------------------
37 /// Main code.
38
39 .arch armv8-a
40 .fpu crypto-neon-fp-armv8
41
42 /// The ARM crypto extension implements a little-endian version of AES
43 /// (though the manual doesn't actually spell this out and you have to
44 /// experiment), but Catacomb's internal interface presents as big-endian so
45 /// as to work better with things like GCM. We therefore maintain the round
46 /// keys in little-endian form, and have to end-swap blocks in and out.
47 ///
48 /// For added amusement, the crypto extension doesn't implement the larger-
49 /// block versions of Rijndael, so we have to end-swap the keys if we're
50 /// preparing for one of those.
51
52 // Useful constants.
53 .equ maxrounds, 16 // maximum number of rounds
54 .equ maxblksz, 32 // maximum block size, in bytes
55 .equ kbufsz, maxblksz*(maxrounds + 1) // size of a key-schedule buffer
56
57 // Context structure.
58 .equ nr, 0 // number of rounds
59 .equ w, nr + 4 // encryption key words
60 .equ wi, w + kbufsz // decryption key words
61
62 ///--------------------------------------------------------------------------
63 /// Key setup.
64
65 FUNC(rijndael_setup_arm_crypto)
66
67 // Arguments:
68 // r0 = pointer to context
69 // r1 = block size in words
70 // r2 = pointer to key material
71 // r3 = key size in words
72
73 stmfd sp!, {r4-r9, r14}
74
75 // The initial round key material is taken directly from the input
76 // key, so copy it over. Unfortunately, the key material is not
77 // guaranteed to be aligned in any especially useful way, so we must
78 // sort this out.
79 add r9, r0, #w
80 mov r14, r3
81 ands r6, r2, #3
82 beq 1f
83 mov r6, r6, lsl #3
84 rsb r7, r6, #32
85 bic r2, r2, #3
86 ldr r4, [r2], #4
87
88 0: ldr r5, [r2], #4
89 mov r4, r4, lsr r6
90 orr r4, r5, lsl r7
91 str r4, [r9], #4
92 subs r14, r14, #1
93 movhi r4, r5
94 bhi 0b
95 b 9f
96
97 1: ldr r4, [r2], #4
98 str r4, [r9], #4
99 subs r14, r14, #1
100 bhi 1b
101
102 // Find out other useful things and prepare for the main loop.
103 9: ldr r7, [r0, #nr] // number of rounds
104 mla r2, r1, r7, r1 // total key size in words
105 leaextq r5, rijndael_rcon // round constants
106 sub r8, r2, r3 // minus what we've copied already
107 veor q1, q1 // all-zero register for the key
108 add r8, r9, r8, lsl #2 // limit of the key buffer
109
110 // Main key expansion loop. The first word of each key-length chunk
111 // needs special treatment.
112 0: ldrb r14, [r5], #1 // next round constant
113 ldr r6, [r9, -r3, lsl #2]
114 vdup.32 q0, r4
115 aese.8 q0, q1 // effectively, just SubBytes
116 vmov.32 r4, d0[0]
117 eor r4, r14, r4, ror #8
118 eor r4, r4, r6
119 str r4, [r9], #4
120 cmp r9, r8
121 bcs 9f
122
123 // The next three words are simple.
124 ldr r6, [r9, -r3, lsl #2]
125 eor r4, r4, r6
126 str r4, [r9], #4
127 cmp r9, r8
128 bcs 9f
129
130 // (Word 2...)
131 ldr r6, [r9, -r3, lsl #2]
132 eor r4, r4, r6
133 str r4, [r9], #4
134 cmp r9, r8
135 bcs 9f
136
137 // (Word 3...)
138 ldr r6, [r9, -r3, lsl #2]
139 eor r4, r4, r6
140 str r4, [r9], #4
141 cmp r9, r8
142 bcs 9f
143
144 // Word 4. If the key is /more/ than 6 words long, then we must
145 // apply a substitution here.
146 cmp r3, #5
147 bcc 0b
148 ldr r6, [r9, -r3, lsl #2]
149 cmp r3, #7
150 bcc 1f
151 vdup.32 q0, r4
152 aese.8 q0, q1 // effectively, just SubBytes
153 vmov.32 r4, d0[0]
154 1: eor r4, r4, r6
155 str r4, [r9], #4
156 cmp r9, r8
157 bcs 9f
158
159 // (Word 5...)
160 cmp r3, #6
161 bcc 0b
162 ldr r6, [r9, -r3, lsl #2]
163 eor r4, r4, r6
164 str r4, [r9], #4
165 cmp r9, r8
166 bcs 9f
167
168 // (Word 6...)
169 cmp r3, #7
170 bcc 0b
171 ldr r6, [r9, -r3, lsl #2]
172 eor r4, r4, r6
173 str r4, [r9], #4
174 cmp r9, r8
175 bcs 9f
176
177 // (Word 7...)
178 cmp r3, #8
179 bcc 0b
180 ldr r6, [r9, -r3, lsl #2]
181 eor r4, r4, r6
182 str r4, [r9], #4
183 cmp r9, r8
184 bcs 9f
185
186 // Must be done by now.
187 b 0b
188
189 // Next job is to construct the decryption keys. The keys for the
190 // first and last rounds don't need to be mangled, but the remaining
191 // ones do -- and they all need to be reordered too.
192 //
193 // The plan of action, then, is to copy the final encryption round's
194 // keys into place first, then to do each of the intermediate rounds
195 // in reverse order, and finally do the first round.
196 //
197 // Do all the heavy lifting with NEON registers. The order we're
198 // doing this in means that it's OK if we read or write too much, and
199 // there's easily enough buffer space for the over-enthusiastic reads
200 // and writes because the context has space for 32-byte blocks, which
201 // is our maximum and an exact fit for two Q-class registers.
202 9: add r5, r0, #wi
203 add r4, r0, #w
204 add r4, r4, r2, lsl #2
205 sub r4, r4, r1, lsl #2 // last round's keys
206
207 // Copy the last encryption round's keys.
208 teq r1, #4
209 vldmiaeq r4, {d0, d1}
210 vldmiane r4, {d0-d3}
211 vstmiaeq r5, {d0, d1}
212 vstmiane r5, {d0-d3}
213
214 // Update the loop variables and stop if we've finished.
215 0: sub r4, r4, r1, lsl #2
216 add r5, r5, r1, lsl #2
217 subs r7, r7, #1
218 beq 9f
219
220 // Do another middle round's keys...
221 teq r1, #4
222 vldmiaeq r4, {d0, d1}
223 vldmiane r4, {d0-d3}
224 aesimc.8 q0, q0
225 vstmiaeq r5, {d0, d1}
226 beq 0b
227 aesimc.8 q1, q1
228 vstmia r5, {d0-d3}
229 b 0b
230
231 // Finally do the first encryption round.
232 9: teq r1, #4
233 vldmiaeq r4, {d0, d1}
234 vldmiane r4, {d0-d3}
235 vstmiaeq r5, {d0, d1}
236 vstmiane r5, {d0-d3}
237
238 // If the block size is not exactly four words then we must end-swap
239 // everything. We can use fancy NEON toys for this.
240 beq 9f
241
242 // End-swap the encryption keys.
243 add r1, r0, #w
244 bl endswap_block
245
246 // And the decryption keys
247 add r1, r0, #wi
248 bl endswap_block
249
250 // All done.
251 9: ldmfd sp!, {r4-r9, pc}
252
253 endswap_block:
254 // End-swap R2 words starting at R1. R1 is clobbered; R2 is not.
255 // It's OK to work in 16-byte chunks.
256 mov r4, r2
257 0: vldmia r1, {d0, d1}
258 vrev32.8 q0, q0
259 vstmia r1!, {d0, d1}
260 subs r4, r4, #4
261 bhi 0b
262 bx r14
263
264 ENDFUNC
265
266 ///--------------------------------------------------------------------------
267 /// Encrypting and decrypting blocks.
268
269 FUNC(rijndael_eblk_arm_crypto)
270
271 // Arguments:
272 // r0 = pointer to context
273 // r1 = pointer to input block
274 // r2 = pointer to output block
275
276 // Set things up ready.
277 ldr r3, [r0, #nr]
278 add r0, r0, #w
279 vldmia r1, {d0, d1}
280 vrev32.8 q0, q0
281
282 // Dispatch according to the number of rounds.
283 add r3, r3, r3, lsl #1
284 rsbs r3, r3, #3*14
285 addcs pc, pc, r3, lsl #2
286 callext F(abort)
287
288 // The last round doesn't have MixColumns, so do it separately.
289 .rept 13
290 vldmia r0!, {d2, d3}
291 aese.8 q0, q1
292 aesmc.8 q0, q0
293 .endr
294
295 // Final round.
296 vldmia r0!, {d2, d3}
297 aese.8 q0, q1
298
299 // Final whitening.
300 vldmia r0!, {d2, d3}
301 veor q0, q1
302
303 // All done.
304 vrev32.8 q0, q0
305 vstmia r2, {d0, d1}
306 bx r14
307
308 ENDFUNC
309
310 FUNC(rijndael_dblk_arm_crypto)
311
312 // Arguments:
313 // r0 = pointer to context
314 // r1 = pointer to input block
315 // r2 = pointer to output block
316
317 // Set things up ready.
318 ldr r3, [r0, #nr]
319 add r0, r0, #wi
320 vldmia r1, {d0, d1}
321 vrev32.8 q0, q0
322
323 // Dispatch according to the number of rounds.
324 add r3, r3, r3, lsl #1
325 rsbs r3, r3, #3*14
326 addcs pc, pc, r3, lsl #2
327 callext F(abort)
328
329 // The last round doesn't have MixColumns, so do it separately.
330 .rept 13
331 vldmia r0!, {d2, d3}
332 aesd.8 q0, q1
333 aesimc.8 q0, q0
334 .endr
335
336 // Final round.
337 vldmia r0!, {d2, d3}
338 aesd.8 q0, q1
339
340 // Final whitening.
341 vldmia r0!, {d2, d3}
342 veor q0, q1
343
344 // All done.
345 vrev32.8 q0, q0
346 vstmia r2, {d0, d1}
347 bx r14
348
349 ENDFUNC
350
351 ///----- That's all, folks --------------------------------------------------
Catacomb cryptographic library