1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * AES-NI + SSE2 implementation of AEGIS-128
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
9 #include <linux/linkage.h>
10 #include <asm/frame.h>
27 .section .rodata.cst16.aegis128_const, "aM", @progbits, 32
30 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
31 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
33 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
34 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
36 .section .rodata.cst16.aegis128_counter, "aM", @progbits, 16
39 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
40 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
47 * STATE[0-4] - input state
49 * STATE[0-4] - output state (shifted positions)
53 .macro aegis128_update
63 * __load_partial: internal ABI
74 SYM_FUNC_START_LOCAL(__load_partial)
126 SYM_FUNC_END(__load_partial)
129 * __store_partial: internal ABI
140 SYM_FUNC_START_LOCAL(__store_partial)
184 SYM_FUNC_END(__store_partial)
187 * void crypto_aegis128_aesni_init(void *state, const void *key, const void *iv);
189 SYM_FUNC_START(crypto_aegis128_aesni_init)
202 /* load the constants: */
203 movdqa .Laegis128_const_0, STATE2
204 movdqa .Laegis128_const_1, STATE1
208 /* update 10 times with KEY / KEY xor IV: */
209 aegis128_update; pxor KEY, STATE4
210 aegis128_update; pxor T1, STATE3
211 aegis128_update; pxor KEY, STATE2
212 aegis128_update; pxor T1, STATE1
213 aegis128_update; pxor KEY, STATE0
214 aegis128_update; pxor T1, STATE4
215 aegis128_update; pxor KEY, STATE3
216 aegis128_update; pxor T1, STATE2
217 aegis128_update; pxor KEY, STATE1
218 aegis128_update; pxor T1, STATE0
220 /* store the state: */
221 movdqu STATE0, 0x00(STATEP)
222 movdqu STATE1, 0x10(STATEP)
223 movdqu STATE2, 0x20(STATEP)
224 movdqu STATE3, 0x30(STATEP)
225 movdqu STATE4, 0x40(STATEP)
229 SYM_FUNC_END(crypto_aegis128_aesni_init)
232 * void crypto_aegis128_aesni_ad(void *state, unsigned int length,
235 SYM_FUNC_START(crypto_aegis128_aesni_ad)
241 /* load the state: */
242 movdqu 0x00(STATEP), STATE0
243 movdqu 0x10(STATEP), STATE1
244 movdqu 0x20(STATEP), STATE2
245 movdqu 0x30(STATEP), STATE3
246 movdqu 0x40(STATEP), STATE4
254 movdqa 0x00(SRC), MSG
261 movdqa 0x10(SRC), MSG
268 movdqa 0x20(SRC), MSG
275 movdqa 0x30(SRC), MSG
282 movdqa 0x40(SRC), MSG
294 movdqu 0x00(SRC), MSG
301 movdqu 0x10(SRC), MSG
308 movdqu 0x20(SRC), MSG
315 movdqu 0x30(SRC), MSG
322 movdqu 0x40(SRC), MSG
332 /* store the state: */
334 movdqu STATE0, 0x00(STATEP)
335 movdqu STATE1, 0x10(STATEP)
336 movdqu STATE2, 0x20(STATEP)
337 movdqu STATE3, 0x30(STATEP)
338 movdqu STATE4, 0x40(STATEP)
343 movdqu STATE4, 0x00(STATEP)
344 movdqu STATE0, 0x10(STATEP)
345 movdqu STATE1, 0x20(STATEP)
346 movdqu STATE2, 0x30(STATEP)
347 movdqu STATE3, 0x40(STATEP)
352 movdqu STATE3, 0x00(STATEP)
353 movdqu STATE4, 0x10(STATEP)
354 movdqu STATE0, 0x20(STATEP)
355 movdqu STATE1, 0x30(STATEP)
356 movdqu STATE2, 0x40(STATEP)
361 movdqu STATE2, 0x00(STATEP)
362 movdqu STATE3, 0x10(STATEP)
363 movdqu STATE4, 0x20(STATEP)
364 movdqu STATE0, 0x30(STATEP)
365 movdqu STATE1, 0x40(STATEP)
370 movdqu STATE1, 0x00(STATEP)
371 movdqu STATE2, 0x10(STATEP)
372 movdqu STATE3, 0x20(STATEP)
373 movdqu STATE4, 0x30(STATEP)
374 movdqu STATE0, 0x40(STATEP)
381 SYM_FUNC_END(crypto_aegis128_aesni_ad)
383 .macro encrypt_block a s0 s1 s2 s3 s4 i
384 movdq\a (\i * 0x10)(SRC), MSG
391 movdq\a T0, (\i * 0x10)(DST)
402 * void crypto_aegis128_aesni_enc(void *state, unsigned int length,
403 * const void *src, void *dst);
405 SYM_FUNC_START(crypto_aegis128_aesni_enc)
411 /* load the state: */
412 movdqu 0x00(STATEP), STATE0
413 movdqu 0x10(STATEP), STATE1
414 movdqu 0x20(STATEP), STATE2
415 movdqu 0x30(STATEP), STATE3
416 movdqu 0x40(STATEP), STATE4
425 encrypt_block a STATE0 STATE1 STATE2 STATE3 STATE4 0
426 encrypt_block a STATE4 STATE0 STATE1 STATE2 STATE3 1
427 encrypt_block a STATE3 STATE4 STATE0 STATE1 STATE2 2
428 encrypt_block a STATE2 STATE3 STATE4 STATE0 STATE1 3
429 encrypt_block a STATE1 STATE2 STATE3 STATE4 STATE0 4
437 encrypt_block u STATE0 STATE1 STATE2 STATE3 STATE4 0
438 encrypt_block u STATE4 STATE0 STATE1 STATE2 STATE3 1
439 encrypt_block u STATE3 STATE4 STATE0 STATE1 STATE2 2
440 encrypt_block u STATE2 STATE3 STATE4 STATE0 STATE1 3
441 encrypt_block u STATE1 STATE2 STATE3 STATE4 STATE0 4
447 /* store the state: */
449 movdqu STATE4, 0x00(STATEP)
450 movdqu STATE0, 0x10(STATEP)
451 movdqu STATE1, 0x20(STATEP)
452 movdqu STATE2, 0x30(STATEP)
453 movdqu STATE3, 0x40(STATEP)
458 movdqu STATE3, 0x00(STATEP)
459 movdqu STATE4, 0x10(STATEP)
460 movdqu STATE0, 0x20(STATEP)
461 movdqu STATE1, 0x30(STATEP)
462 movdqu STATE2, 0x40(STATEP)
467 movdqu STATE2, 0x00(STATEP)
468 movdqu STATE3, 0x10(STATEP)
469 movdqu STATE4, 0x20(STATEP)
470 movdqu STATE0, 0x30(STATEP)
471 movdqu STATE1, 0x40(STATEP)
476 movdqu STATE1, 0x00(STATEP)
477 movdqu STATE2, 0x10(STATEP)
478 movdqu STATE3, 0x20(STATEP)
479 movdqu STATE4, 0x30(STATEP)
480 movdqu STATE0, 0x40(STATEP)
485 movdqu STATE0, 0x00(STATEP)
486 movdqu STATE1, 0x10(STATEP)
487 movdqu STATE2, 0x20(STATEP)
488 movdqu STATE3, 0x30(STATEP)
489 movdqu STATE4, 0x40(STATEP)
496 SYM_FUNC_END(crypto_aegis128_aesni_enc)
499 * void crypto_aegis128_aesni_enc_tail(void *state, unsigned int length,
500 * const void *src, void *dst);
502 SYM_FUNC_START(crypto_aegis128_aesni_enc_tail)
505 /* load the state: */
506 movdqu 0x00(STATEP), STATE0
507 movdqu 0x10(STATEP), STATE1
508 movdqu 0x20(STATEP), STATE2
509 movdqu 0x30(STATEP), STATE3
510 movdqu 0x40(STATEP), STATE4
512 /* encrypt message: */
527 /* store the state: */
528 movdqu STATE4, 0x00(STATEP)
529 movdqu STATE0, 0x10(STATEP)
530 movdqu STATE1, 0x20(STATEP)
531 movdqu STATE2, 0x30(STATEP)
532 movdqu STATE3, 0x40(STATEP)
536 SYM_FUNC_END(crypto_aegis128_aesni_enc_tail)
538 .macro decrypt_block a s0 s1 s2 s3 s4 i
539 movdq\a (\i * 0x10)(SRC), MSG
545 movdq\a MSG, (\i * 0x10)(DST)
556 * void crypto_aegis128_aesni_dec(void *state, unsigned int length,
557 * const void *src, void *dst);
559 SYM_FUNC_START(crypto_aegis128_aesni_dec)
565 /* load the state: */
566 movdqu 0x00(STATEP), STATE0
567 movdqu 0x10(STATEP), STATE1
568 movdqu 0x20(STATEP), STATE2
569 movdqu 0x30(STATEP), STATE3
570 movdqu 0x40(STATEP), STATE4
579 decrypt_block a STATE0 STATE1 STATE2 STATE3 STATE4 0
580 decrypt_block a STATE4 STATE0 STATE1 STATE2 STATE3 1
581 decrypt_block a STATE3 STATE4 STATE0 STATE1 STATE2 2
582 decrypt_block a STATE2 STATE3 STATE4 STATE0 STATE1 3
583 decrypt_block a STATE1 STATE2 STATE3 STATE4 STATE0 4
591 decrypt_block u STATE0 STATE1 STATE2 STATE3 STATE4 0
592 decrypt_block u STATE4 STATE0 STATE1 STATE2 STATE3 1
593 decrypt_block u STATE3 STATE4 STATE0 STATE1 STATE2 2
594 decrypt_block u STATE2 STATE3 STATE4 STATE0 STATE1 3
595 decrypt_block u STATE1 STATE2 STATE3 STATE4 STATE0 4
601 /* store the state: */
603 movdqu STATE4, 0x00(STATEP)
604 movdqu STATE0, 0x10(STATEP)
605 movdqu STATE1, 0x20(STATEP)
606 movdqu STATE2, 0x30(STATEP)
607 movdqu STATE3, 0x40(STATEP)
612 movdqu STATE3, 0x00(STATEP)
613 movdqu STATE4, 0x10(STATEP)
614 movdqu STATE0, 0x20(STATEP)
615 movdqu STATE1, 0x30(STATEP)
616 movdqu STATE2, 0x40(STATEP)
621 movdqu STATE2, 0x00(STATEP)
622 movdqu STATE3, 0x10(STATEP)
623 movdqu STATE4, 0x20(STATEP)
624 movdqu STATE0, 0x30(STATEP)
625 movdqu STATE1, 0x40(STATEP)
630 movdqu STATE1, 0x00(STATEP)
631 movdqu STATE2, 0x10(STATEP)
632 movdqu STATE3, 0x20(STATEP)
633 movdqu STATE4, 0x30(STATEP)
634 movdqu STATE0, 0x40(STATEP)
639 movdqu STATE0, 0x00(STATEP)
640 movdqu STATE1, 0x10(STATEP)
641 movdqu STATE2, 0x20(STATEP)
642 movdqu STATE3, 0x30(STATEP)
643 movdqu STATE4, 0x40(STATEP)
650 SYM_FUNC_END(crypto_aegis128_aesni_dec)
653 * void crypto_aegis128_aesni_dec_tail(void *state, unsigned int length,
654 * const void *src, void *dst);
656 SYM_FUNC_START(crypto_aegis128_aesni_dec_tail)
659 /* load the state: */
660 movdqu 0x00(STATEP), STATE0
661 movdqu 0x10(STATEP), STATE1
662 movdqu 0x20(STATEP), STATE2
663 movdqu 0x30(STATEP), STATE3
664 movdqu 0x40(STATEP), STATE4
666 /* decrypt message: */
678 /* mask with byte count: */
684 movdqa .Laegis128_counter, T1
691 /* store the state: */
692 movdqu STATE4, 0x00(STATEP)
693 movdqu STATE0, 0x10(STATEP)
694 movdqu STATE1, 0x20(STATEP)
695 movdqu STATE2, 0x30(STATEP)
696 movdqu STATE3, 0x40(STATEP)
700 SYM_FUNC_END(crypto_aegis128_aesni_dec_tail)
703 * void crypto_aegis128_aesni_final(void *state, void *tag_xor,
704 * u64 assoclen, u64 cryptlen);
706 SYM_FUNC_START(crypto_aegis128_aesni_final)
709 /* load the state: */
710 movdqu 0x00(STATEP), STATE0
711 movdqu 0x10(STATEP), STATE1
712 movdqu 0x20(STATEP), STATE2
713 movdqu 0x30(STATEP), STATE3
714 movdqu 0x40(STATEP), STATE4
716 /* prepare length block: */
721 psllq $3, MSG /* multiply by 8 (to get bit count) */
726 aegis128_update; pxor MSG, STATE4
727 aegis128_update; pxor MSG, STATE3
728 aegis128_update; pxor MSG, STATE2
729 aegis128_update; pxor MSG, STATE1
730 aegis128_update; pxor MSG, STATE0
731 aegis128_update; pxor MSG, STATE4
732 aegis128_update; pxor MSG, STATE3
747 SYM_FUNC_END(crypto_aegis128_aesni_final)