| blob | 839706b5a37cf090090b9cb21798ceb46be1a96b |
1 /*
2 * ====================================================================
3 * Written by Intel Corporation for the OpenSSL project to add support
4 * for Intel AES-NI instructions. Rights for redistribution and usage
5 * in source and binary forms are granted according to the OpenSSL
6 * license.
7 *
8 * Author: Huang Ying <ying.huang at intel dot com>
9 * Vinodh Gopal <vinodh.gopal at intel dot com>
10 * Kahraman Akdemir
11 *
12 * Intel AES-NI is a new set of Single Instruction Multiple Data (SIMD)
13 * instructions that are going to be introduced in the next generation
14 * of Intel processor, as of 2009. These instructions enable fast and
15 * secure data encryption and decryption, using the Advanced Encryption
16 * Standard (AES), defined by FIPS Publication number 197. The
17 * architecture introduces six instructions that offer full hardware
18 * support for AES. Four of them support high performance data
19 * encryption and decryption, and the other two instructions support
20 * the AES key expansion procedure.
21 * ====================================================================
22 */
24 /*
25 * ====================================================================
26 * Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
27 *
28 * Redistribution and use in source and binary forms, with or without
29 * modification, are permitted provided that the following conditions
30 * are met:
31 *
32 * 1. Redistributions of source code must retain the above copyright
33 * notice, this list of conditions and the following disclaimer.
34 *
35 * 2. Redistributions in binary form must reproduce the above copyright
36 * notice, this list of conditions and the following disclaimer in
37 * the documentation and/or other materials provided with the
38 * distribution.
39 *
40 * 3. All advertising materials mentioning features or use of this
41 * software must display the following acknowledgment:
42 * "This product includes software developed by the OpenSSL Project
43 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
44 *
45 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
46 * endorse or promote products derived from this software without
47 * prior written permission. For written permission, please contact
48 * openssl-core@openssl.org.
49 *
50 * 5. Products derived from this software may not be called "OpenSSL"
51 * nor may "OpenSSL" appear in their names without prior written
52 * permission of the OpenSSL Project.
53 *
54 * 6. Redistributions of any form whatsoever must retain the following
55 * acknowledgment:
56 * "This product includes software developed by the OpenSSL Project
57 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
58 *
59 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
60 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
61 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
62 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
63 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
64 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
65 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
66 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
67 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
68 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
69 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
70 * OF THE POSSIBILITY OF SUCH DAMAGE.
71 * ====================================================================
72 */
74 /*
75 * ====================================================================
76 * OpenSolaris OS modifications
77 *
78 * This source originates as files aes-intel.S and eng_aesni_asm.pl, in
79 * patches sent sent Dec. 9, 2008 and Dec. 24, 2008, respectively, by
80 * Huang Ying of Intel to the openssl-dev mailing list under the subject
81 * of "Add support to Intel AES-NI instruction set for x86_64 platform".
82 *
83 * This OpenSolaris version has these major changes from the original source:
84 *
85 * 1. Added OpenSolaris ENTRY_NP/SET_SIZE macros from
86 * /usr/include/sys/asm_linkage.h, lint(1B) guards, and dummy C function
87 * definitions for lint.
88 *
89 * 2. Formatted code, added comments, and added #includes and #defines.
90 *
91 * 3. If bit CR0.TS is set, clear and set the TS bit, after and before
92 * calling kpreempt_disable() and kpreempt_enable().
93 * If the TS bit is not set, Save and restore %xmm registers at the beginning
94 * and end of function calls (%xmm* registers are not saved and restored by
95 * during kernel thread preemption).
96 *
97 * 4. Renamed functions, reordered parameters, and changed return value
98 * to match OpenSolaris:
99 *
100 * OpenSSL interface:
101 * int intel_AES_set_encrypt_key(const unsigned char *userKey,
102 * const int bits, AES_KEY *key);
103 * int intel_AES_set_decrypt_key(const unsigned char *userKey,
104 * const int bits, AES_KEY *key);
105 * Return values for above are non-zero on error, 0 on success.
106 *
107 * void intel_AES_encrypt(const unsigned char *in, unsigned char *out,
108 * const AES_KEY *key);
109 * void intel_AES_decrypt(const unsigned char *in, unsigned char *out,
110 * const AES_KEY *key);
111 * typedef struct aes_key_st {
112 * unsigned int rd_key[4 *(AES_MAXNR + 1)];
113 * int rounds;
114 * unsigned int pad[3];
115 * } AES_KEY;
116 * Note: AES_LONG is undefined (that is, Intel uses 32-bit key schedules
117 * (ks32) instead of 64-bit (ks64).
118 * Number of rounds (aka round count) is at offset 240 of AES_KEY.
119 *
120 * OpenSolaris OS interface (#ifdefs removed for readability):
121 * int rijndael_key_setup_dec_intel(uint32_t rk[],
122 * const uint32_t cipherKey[], uint64_t keyBits);
123 * int rijndael_key_setup_enc_intel(uint32_t rk[],
124 * const uint32_t cipherKey[], uint64_t keyBits);
125 * Return values for above are 0 on error, number of rounds on success.
126 *
127 * void aes_encrypt_intel(const aes_ks_t *ks, int Nr,
128 * const uint32_t pt[4], uint32_t ct[4]);
129 * void aes_decrypt_intel(const aes_ks_t *ks, int Nr,
130 * const uint32_t pt[4], uint32_t ct[4]);
131 * typedef union {uint64_t ks64[(MAX_AES_NR + 1) * 4];
132 * uint32_t ks32[(MAX_AES_NR + 1) * 4]; } aes_ks_t;
133 *
134 * typedef union {
135 * uint32_t ks32[((MAX_AES_NR) + 1) * (MAX_AES_NB)];
136 * } aes_ks_t;
137 * typedef struct aes_key {
138 * aes_ks_t encr_ks, decr_ks;
139 * long double align128;
140 * int flags, nr, type;
141 * } aes_key_t;
142 *
143 * Note: ks is the AES key schedule, Nr is number of rounds, pt is plain text,
144 * ct is crypto text, and MAX_AES_NR is 14.
145 * For the x86 64-bit architecture, OpenSolaris OS uses ks32 instead of ks64.
146 *
147 * Note2: aes_ks_t must be aligned on a 0 mod 128 byte boundary.
148 *
149 * ====================================================================
150 */
152 #if defined(lint) || defined(__lint)
154 #include <sys/types.h>
156 /* ARGSUSED */
157 void
160 }
161 /* ARGSUSED */
162 void
165 }
166 /* ARGSUSED */
167 int
169 uint64_t keyBits) {
171 }
172 /* ARGSUSED */
173 int
175 uint64_t keyBits) {
177 }
180 #else /* lint */
182 #include <sys/asm_linkage.h>
183 #include <sys/controlregs.h>
184 #ifdef _KERNEL
185 #include <sys/machprivregs.h>
186 #endif
188 #ifdef _KERNEL
189 /*
190 * Note: the CLTS macro clobbers P2 (%rsi) under i86xpv. That is,
191 * it calls HYPERVISOR_fpu_taskswitch() which modifies %rsi when it
192 * uses it to pass P2 to syscall.
193 * This also occurs with the STTS macro, but we don't care if
194 * P2 (%rsi) is modified just before function exit.
195 * The CLTS and STTS macros push and pop P1 (%rdi) already.
196 */
197 #ifdef __xpv
198 #define PROTECTED_CLTS \
199 push %rsi; \
200 CLTS; \
201 pop %rsi
202 #else
203 #define PROTECTED_CLTS \
204 CLTS
205 #endif /* __xpv */
207 #define CLEAR_TS_OR_PUSH_XMM0_XMM1(tmpreg) \
208 push %rbp; \
211 testq $CR0_TS, tmpreg; \
212 jnz 1f; \
217 jmp 2f; \
219 PROTECTED_CLTS; \
222 /*
223 * If CR0_TS was not set above, pop %xmm0 and %xmm1 off stack,
224 * otherwise set CR0_TS.
225 */
226 #define SET_TS_OR_POP_XMM0_XMM1(tmpreg) \
227 testq $CR0_TS, tmpreg; \
228 jnz 1f; \
231 jmp 2f; \
236 pop %rbp
238 /*
239 * If CR0_TS is not set, align stack (with push %rbp) and push
240 * %xmm0 - %xmm6 on stack, otherwise clear CR0_TS
241 */
242 #define CLEAR_TS_OR_PUSH_XMM0_TO_XMM6(tmpreg) \
243 push %rbp; \
246 testq $CR0_TS, tmpreg; \
247 jnz 1f; \
257 jmp 2f; \
259 PROTECTED_CLTS; \
263 /*
264 * If CR0_TS was not set above, pop %xmm0 - %xmm6 off stack,
265 * otherwise set CR0_TS.
266 */
267 #define SET_TS_OR_POP_XMM0_TO_XMM6(tmpreg) \
268 testq $CR0_TS, tmpreg; \
269 jnz 1f; \
277 jmp 2f; \
282 pop %rbp
285 #else
286 #define PROTECTED_CLTS
287 #define CLEAR_TS_OR_PUSH_XMM0_XMM1(tmpreg)
288 #define SET_TS_OR_POP_XMM0_XMM1(tmpreg)
289 #define CLEAR_TS_OR_PUSH_XMM0_TO_XMM6(tmpreg)
290 #define SET_TS_OR_POP_XMM0_TO_XMM6(tmpreg)
291 #endif /* _KERNEL */
294 /*
295 * _key_expansion_128(), * _key_expansion_192a(), _key_expansion_192b(),
296 * _key_expansion_256a(), _key_expansion_256b()
297 *
298 * Helper functions called by rijndael_key_setup_inc_intel().
299 * Also used indirectly by rijndael_key_setup_dec_intel().
300 *
301 * Input:
302 * %xmm0 User-provided cipher key
303 * %xmm1 Round constant
304 * Output:
305 * (%rcx) AES key
306 */
308 .align 16
309 _key_expansion_128:
310 _key_expansion_256a:
319 ret
323 .align 16
324 _key_expansion_192a:
345 ret
348 .align 16
349 _key_expansion_192b:
365 ret
368 .align 16
369 _key_expansion_256b:
378 ret
382 /*
383 * rijndael_key_setup_enc_intel()
384 * Expand the cipher key into the encryption key schedule.
385 *
386 * For kernel code, caller is responsible for ensuring kpreempt_disable()
387 * has been called. This is because %xmm registers are not saved/restored.
388 * Clear and set the CR0.TS bit on entry and exit, respectively, if TS is set
389 * on entry. Otherwise, if TS is not set, save and restore %xmm registers
390 * on the stack.
391 *
392 * OpenSolaris interface:
393 * int rijndael_key_setup_enc_intel(uint32_t rk[], const uint32_t cipherKey[],
394 * uint64_t keyBits);
395 * Return value is 0 on error, number of rounds on success.
396 *
397 * Original Intel OpenSSL interface:
398 * int intel_AES_set_encrypt_key(const unsigned char *userKey,
399 * const int bits, AES_KEY *key);
400 * Return value is non-zero on error, 0 on success.
401 */
403 #ifdef OPENSSL_INTERFACE
404 #define rijndael_key_setup_enc_intel intel_AES_set_encrypt_key
405 #define rijndael_key_setup_dec_intel intel_AES_set_decrypt_key
407 #define USERCIPHERKEY rdi /* P1, 64 bits */
408 #define KEYSIZE32 esi /* P2, 32 bits */
409 #define KEYSIZE64 rsi /* P2, 64 bits */
410 #define AESKEY rdx /* P3, 64 bits */
412 #else /* OpenSolaris Interface */
413 #define AESKEY rdi /* P1, 64 bits */
414 #define USERCIPHERKEY rsi /* P2, 64 bits */
415 #define KEYSIZE32 edx /* P3, 32 bits */
416 #define KEYSIZE64 rdx /* P3, 64 bits */
417 #endif /* OPENSSL_INTERFACE */
419 #define ROUNDS32 KEYSIZE32 /* temp */
420 #define ROUNDS64 KEYSIZE64 /* temp */
421 #define ENDAESKEY USERCIPHERKEY /* temp */
427 / NULL pointer sanity check
429 jz .Lenc_key_invalid_param
431 jz .Lenc_key_invalid_param
439 jnz .Lenc_key192
442 #ifdef OPENSSL_INTERFACE
445 #endif /* OPENSSL_INTERFACE */
452 call _key_expansion_256a
454 call _key_expansion_256b
456 call _key_expansion_256a
458 call _key_expansion_256b
460 call _key_expansion_256a
462 call _key_expansion_256b
464 call _key_expansion_256a
466 call _key_expansion_256b
468 call _key_expansion_256a
470 call _key_expansion_256b
472 call _key_expansion_256a
474 call _key_expansion_256b
476 call _key_expansion_256a
479 #ifdef OPENSSL_INTERFACE
481 #else /* Open Solaris Interface */
483 #endif
484 ret
486 .align 4
487 .Lenc_key192:
489 jnz .Lenc_key128
492 #ifdef OPENSSL_INTERFACE
495 #endif /* OPENSSL_INTERFACE */
499 call _key_expansion_192a
501 call _key_expansion_192b
503 call _key_expansion_192a
505 call _key_expansion_192b
507 call _key_expansion_192a
509 call _key_expansion_192b
511 call _key_expansion_192a
513 call _key_expansion_192b
516 #ifdef OPENSSL_INTERFACE
518 #else /* OpenSolaris Interface */
520 #endif
521 ret
523 .align 4
524 .Lenc_key128:
526 jnz .Lenc_key_invalid_key_bits
529 #ifdef OPENSSL_INTERFACE
532 #endif /* OPENSSL_INTERFACE */
535 call _key_expansion_128
537 call _key_expansion_128
539 call _key_expansion_128
541 call _key_expansion_128
543 call _key_expansion_128
545 call _key_expansion_128
547 call _key_expansion_128
549 call _key_expansion_128
551 call _key_expansion_128
553 call _key_expansion_128
556 #ifdef OPENSSL_INTERFACE
558 #else /* OpenSolaris Interface */
560 #endif
561 ret
563 .Lenc_key_invalid_param:
564 #ifdef OPENSSL_INTERFACE
567 ret
568 #else
569 /* FALLTHROUGH */
570 #endif /* OPENSSL_INTERFACE */
572 .Lenc_key_invalid_key_bits:
574 #ifdef OPENSSL_INTERFACE
576 #else /* Open Solaris Interface */
578 #endif /* OPENSSL_INTERFACE */
580 ret
584 /*
585 * rijndael_key_setup_dec_intel()
586 * Expand the cipher key into the decryption key schedule.
587 *
588 * For kernel code, caller is responsible for ensuring kpreempt_disable()
589 * has been called. This is because %xmm registers are not saved/restored.
590 * Clear and set the CR0.TS bit on entry and exit, respectively, if TS is set
591 * on entry. Otherwise, if TS is not set, save and restore %xmm registers
592 * on the stack.
593 *
594 * OpenSolaris interface:
595 * int rijndael_key_setup_dec_intel(uint32_t rk[], const uint32_t cipherKey[],
596 * uint64_t keyBits);
597 * Return value is 0 on error, number of rounds on success.
598 * P1->P2, P2->P3, P3->P1
599 *
600 * Original Intel OpenSSL interface:
601 * int intel_AES_set_decrypt_key(const unsigned char *userKey,
602 * const int bits, AES_KEY *key);
603 * Return value is non-zero on error, 0 on success.
604 */
606 / Generate round keys used for encryption
607 call rijndael_key_setup_enc_intel
609 #ifdef OPENSSL_INTERFACE
610 jnz .Ldec_key_exit / Failed if returned non-0
611 #else /* OpenSolaris Interface */
612 jz .Ldec_key_exit / Failed if returned 0
613 #endif /* OPENSSL_INTERFACE */
617 /*
618 * Convert round keys used for encryption
619 * to a form usable for decryption
620 */
621 #ifndef OPENSSL_INTERFACE /* OpenSolaris Interface */
624 #endif
631 .align 4
632 .Ldec_key_reorder_loop:
640 ja .Ldec_key_reorder_loop
642 .align 4
643 .Ldec_key_inv_loop:
651 jnz .Ldec_key_inv_loop
655 .Ldec_key_exit:
658 ret
662 /*
663 * aes_encrypt_intel()
664 * Encrypt a single block (in and out can overlap).
665 *
666 * For kernel code, caller is responsible for ensuring kpreempt_disable()
667 * has been called. This is because %xmm registers are not saved/restored.
668 * Clear and set the CR0.TS bit on entry and exit, respectively, if TS is set
669 * on entry. Otherwise, if TS is not set, save and restore %xmm registers
670 * on the stack.
671 *
672 * Temporary register usage:
673 * %xmm0 State
674 * %xmm1 Key
675 *
676 * Original OpenSolaris Interface:
677 * void aes_encrypt_intel(const aes_ks_t *ks, int Nr,
678 * const uint32_t pt[4], uint32_t ct[4])
679 *
680 * Original Intel OpenSSL Interface:
681 * void intel_AES_encrypt(const unsigned char *in, unsigned char *out,
682 * const AES_KEY *key)
683 */
685 #ifdef OPENSSL_INTERFACE
686 #define aes_encrypt_intel intel_AES_encrypt
687 #define aes_decrypt_intel intel_AES_decrypt
689 #define INP rdi /* P1, 64 bits */
690 #define OUTP rsi /* P2, 64 bits */
691 #define KEYP rdx /* P3, 64 bits */
693 /* No NROUNDS parameter--offset 240 from KEYP saved in %ecx: */
694 #define NROUNDS32 ecx /* temporary, 32 bits */
695 #define NROUNDS cl /* temporary, 8 bits */
697 #else /* OpenSolaris Interface */
698 #define KEYP rdi /* P1, 64 bits */
699 #define NROUNDS esi /* P2, 32 bits */
700 #define INP rdx /* P3, 64 bits */
701 #define OUTP rcx /* P4, 64 bits */
702 #endif /* OPENSSL_INTERFACE */
704 #define STATE xmm0 /* temporary, 128 bits */
705 #define KEY xmm1 /* temporary, 128 bits */
712 #ifdef OPENSSL_INTERFACE
714 #else /* OpenSolaris Interface */
715 /* Round count is already present as P2 in %rsi/%esi */
716 #endif /* OPENSSL_INTERFACE */
721 jb .Lenc128
723 je .Lenc192
732 .align 4
733 .Lenc192:
740 .align 4
741 .Lenc128:
766 ret
770 /*
771 * aes_decrypt_intel()
772 * Decrypt a single block (in and out can overlap).
773 *
774 * For kernel code, caller is responsible for ensuring kpreempt_disable()
775 * has been called. This is because %xmm registers are not saved/restored.
776 * Clear and set the CR0.TS bit on entry and exit, respectively, if TS is set
777 * on entry. Otherwise, if TS is not set, save and restore %xmm registers
778 * on the stack.
779 *
780 * Temporary register usage:
781 * %xmm0 State
782 * %xmm1 Key
783 *
784 * Original OpenSolaris Interface:
785 * void aes_decrypt_intel(const aes_ks_t *ks, int Nr,
786 * const uint32_t pt[4], uint32_t ct[4])/
787 *
788 * Original Intel OpenSSL Interface:
789 * void intel_AES_decrypt(const unsigned char *in, unsigned char *out,
790 * const AES_KEY *key);
791 */
797 #ifdef OPENSSL_INTERFACE
799 #else /* OpenSolaris Interface */
800 /* Round count is already present as P2 in %rsi/%esi */
801 #endif /* OPENSSL_INTERFACE */
806 jb .Ldec128
808 je .Ldec192
817 .align 4
818 .Ldec192:
825 .align 4
826 .Ldec128:
851 ret
854 #endif /* lint || __lint */