2 * AES-NI + SSE2 implementation of AEGIS-128
4 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
5 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License version 2 as published
9 * by the Free Software Foundation.
12 #include <linux/linkage.h>
13 #include <asm/frame.h>
30 .section .rodata.cst16.aegis128_const, "aM", @progbits, 32
33 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
34 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
36 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
37 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
39 .section .rodata.cst16.aegis128_counter, "aM", @progbits, 16
42 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
43 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
50 * STATE[0-4] - input state
52 * STATE[0-4] - output state (shifted positions)
56 .macro aegis128_update
66 * __load_partial: internal ABI
129 ENDPROC(__load_partial)
132 * __store_partial: internal ABI
187 ENDPROC(__store_partial)
190 * void crypto_aegis128_aesni_init(void *state, const void *key, const void *iv);
192 ENTRY(crypto_aegis128_aesni_init)
205 /* load the constants: */
206 movdqa .Laegis128_const_0, STATE2
207 movdqa .Laegis128_const_1, STATE1
211 /* update 10 times with KEY / KEY xor IV: */
212 aegis128_update; pxor KEY, STATE4
213 aegis128_update; pxor T1, STATE3
214 aegis128_update; pxor KEY, STATE2
215 aegis128_update; pxor T1, STATE1
216 aegis128_update; pxor KEY, STATE0
217 aegis128_update; pxor T1, STATE4
218 aegis128_update; pxor KEY, STATE3
219 aegis128_update; pxor T1, STATE2
220 aegis128_update; pxor KEY, STATE1
221 aegis128_update; pxor T1, STATE0
223 /* store the state: */
224 movdqu STATE0, 0x00(STATEP)
225 movdqu STATE1, 0x10(STATEP)
226 movdqu STATE2, 0x20(STATEP)
227 movdqu STATE3, 0x30(STATEP)
228 movdqu STATE4, 0x40(STATEP)
232 ENDPROC(crypto_aegis128_aesni_init)
235 * void crypto_aegis128_aesni_ad(void *state, unsigned int length,
238 ENTRY(crypto_aegis128_aesni_ad)
244 /* load the state: */
245 movdqu 0x00(STATEP), STATE0
246 movdqu 0x10(STATEP), STATE1
247 movdqu 0x20(STATEP), STATE2
248 movdqu 0x30(STATEP), STATE3
249 movdqu 0x40(STATEP), STATE4
257 movdqa 0x00(SRC), MSG
264 movdqa 0x10(SRC), MSG
271 movdqa 0x20(SRC), MSG
278 movdqa 0x30(SRC), MSG
285 movdqa 0x40(SRC), MSG
297 movdqu 0x00(SRC), MSG
304 movdqu 0x10(SRC), MSG
311 movdqu 0x20(SRC), MSG
318 movdqu 0x30(SRC), MSG
325 movdqu 0x40(SRC), MSG
335 /* store the state: */
337 movdqu STATE0, 0x00(STATEP)
338 movdqu STATE1, 0x10(STATEP)
339 movdqu STATE2, 0x20(STATEP)
340 movdqu STATE3, 0x30(STATEP)
341 movdqu STATE4, 0x40(STATEP)
346 movdqu STATE4, 0x00(STATEP)
347 movdqu STATE0, 0x10(STATEP)
348 movdqu STATE1, 0x20(STATEP)
349 movdqu STATE2, 0x30(STATEP)
350 movdqu STATE3, 0x40(STATEP)
355 movdqu STATE3, 0x00(STATEP)
356 movdqu STATE4, 0x10(STATEP)
357 movdqu STATE0, 0x20(STATEP)
358 movdqu STATE1, 0x30(STATEP)
359 movdqu STATE2, 0x40(STATEP)
364 movdqu STATE2, 0x00(STATEP)
365 movdqu STATE3, 0x10(STATEP)
366 movdqu STATE4, 0x20(STATEP)
367 movdqu STATE0, 0x30(STATEP)
368 movdqu STATE1, 0x40(STATEP)
373 movdqu STATE1, 0x00(STATEP)
374 movdqu STATE2, 0x10(STATEP)
375 movdqu STATE3, 0x20(STATEP)
376 movdqu STATE4, 0x30(STATEP)
377 movdqu STATE0, 0x40(STATEP)
384 ENDPROC(crypto_aegis128_aesni_ad)
386 .macro encrypt_block a s0 s1 s2 s3 s4 i
387 movdq\a (\i * 0x10)(SRC), MSG
394 movdq\a T0, (\i * 0x10)(DST)
405 * void crypto_aegis128_aesni_enc(void *state, unsigned int length,
406 * const void *src, void *dst);
408 ENTRY(crypto_aegis128_aesni_enc)
414 /* load the state: */
415 movdqu 0x00(STATEP), STATE0
416 movdqu 0x10(STATEP), STATE1
417 movdqu 0x20(STATEP), STATE2
418 movdqu 0x30(STATEP), STATE3
419 movdqu 0x40(STATEP), STATE4
428 encrypt_block a STATE0 STATE1 STATE2 STATE3 STATE4 0
429 encrypt_block a STATE4 STATE0 STATE1 STATE2 STATE3 1
430 encrypt_block a STATE3 STATE4 STATE0 STATE1 STATE2 2
431 encrypt_block a STATE2 STATE3 STATE4 STATE0 STATE1 3
432 encrypt_block a STATE1 STATE2 STATE3 STATE4 STATE0 4
440 encrypt_block u STATE0 STATE1 STATE2 STATE3 STATE4 0
441 encrypt_block u STATE4 STATE0 STATE1 STATE2 STATE3 1
442 encrypt_block u STATE3 STATE4 STATE0 STATE1 STATE2 2
443 encrypt_block u STATE2 STATE3 STATE4 STATE0 STATE1 3
444 encrypt_block u STATE1 STATE2 STATE3 STATE4 STATE0 4
450 /* store the state: */
452 movdqu STATE4, 0x00(STATEP)
453 movdqu STATE0, 0x10(STATEP)
454 movdqu STATE1, 0x20(STATEP)
455 movdqu STATE2, 0x30(STATEP)
456 movdqu STATE3, 0x40(STATEP)
461 movdqu STATE3, 0x00(STATEP)
462 movdqu STATE4, 0x10(STATEP)
463 movdqu STATE0, 0x20(STATEP)
464 movdqu STATE1, 0x30(STATEP)
465 movdqu STATE2, 0x40(STATEP)
470 movdqu STATE2, 0x00(STATEP)
471 movdqu STATE3, 0x10(STATEP)
472 movdqu STATE4, 0x20(STATEP)
473 movdqu STATE0, 0x30(STATEP)
474 movdqu STATE1, 0x40(STATEP)
479 movdqu STATE1, 0x00(STATEP)
480 movdqu STATE2, 0x10(STATEP)
481 movdqu STATE3, 0x20(STATEP)
482 movdqu STATE4, 0x30(STATEP)
483 movdqu STATE0, 0x40(STATEP)
488 movdqu STATE0, 0x00(STATEP)
489 movdqu STATE1, 0x10(STATEP)
490 movdqu STATE2, 0x20(STATEP)
491 movdqu STATE3, 0x30(STATEP)
492 movdqu STATE4, 0x40(STATEP)
499 ENDPROC(crypto_aegis128_aesni_enc)
502 * void crypto_aegis128_aesni_enc_tail(void *state, unsigned int length,
503 * const void *src, void *dst);
505 ENTRY(crypto_aegis128_aesni_enc_tail)
508 /* load the state: */
509 movdqu 0x00(STATEP), STATE0
510 movdqu 0x10(STATEP), STATE1
511 movdqu 0x20(STATEP), STATE2
512 movdqu 0x30(STATEP), STATE3
513 movdqu 0x40(STATEP), STATE4
515 /* encrypt message: */
530 /* store the state: */
531 movdqu STATE4, 0x00(STATEP)
532 movdqu STATE0, 0x10(STATEP)
533 movdqu STATE1, 0x20(STATEP)
534 movdqu STATE2, 0x30(STATEP)
535 movdqu STATE3, 0x40(STATEP)
538 ENDPROC(crypto_aegis128_aesni_enc_tail)
540 .macro decrypt_block a s0 s1 s2 s3 s4 i
541 movdq\a (\i * 0x10)(SRC), MSG
547 movdq\a MSG, (\i * 0x10)(DST)
558 * void crypto_aegis128_aesni_dec(void *state, unsigned int length,
559 * const void *src, void *dst);
561 ENTRY(crypto_aegis128_aesni_dec)
567 /* load the state: */
568 movdqu 0x00(STATEP), STATE0
569 movdqu 0x10(STATEP), STATE1
570 movdqu 0x20(STATEP), STATE2
571 movdqu 0x30(STATEP), STATE3
572 movdqu 0x40(STATEP), STATE4
581 decrypt_block a STATE0 STATE1 STATE2 STATE3 STATE4 0
582 decrypt_block a STATE4 STATE0 STATE1 STATE2 STATE3 1
583 decrypt_block a STATE3 STATE4 STATE0 STATE1 STATE2 2
584 decrypt_block a STATE2 STATE3 STATE4 STATE0 STATE1 3
585 decrypt_block a STATE1 STATE2 STATE3 STATE4 STATE0 4
593 decrypt_block u STATE0 STATE1 STATE2 STATE3 STATE4 0
594 decrypt_block u STATE4 STATE0 STATE1 STATE2 STATE3 1
595 decrypt_block u STATE3 STATE4 STATE0 STATE1 STATE2 2
596 decrypt_block u STATE2 STATE3 STATE4 STATE0 STATE1 3
597 decrypt_block u STATE1 STATE2 STATE3 STATE4 STATE0 4
603 /* store the state: */
605 movdqu STATE4, 0x00(STATEP)
606 movdqu STATE0, 0x10(STATEP)
607 movdqu STATE1, 0x20(STATEP)
608 movdqu STATE2, 0x30(STATEP)
609 movdqu STATE3, 0x40(STATEP)
614 movdqu STATE3, 0x00(STATEP)
615 movdqu STATE4, 0x10(STATEP)
616 movdqu STATE0, 0x20(STATEP)
617 movdqu STATE1, 0x30(STATEP)
618 movdqu STATE2, 0x40(STATEP)
623 movdqu STATE2, 0x00(STATEP)
624 movdqu STATE3, 0x10(STATEP)
625 movdqu STATE4, 0x20(STATEP)
626 movdqu STATE0, 0x30(STATEP)
627 movdqu STATE1, 0x40(STATEP)
632 movdqu STATE1, 0x00(STATEP)
633 movdqu STATE2, 0x10(STATEP)
634 movdqu STATE3, 0x20(STATEP)
635 movdqu STATE4, 0x30(STATEP)
636 movdqu STATE0, 0x40(STATEP)
641 movdqu STATE0, 0x00(STATEP)
642 movdqu STATE1, 0x10(STATEP)
643 movdqu STATE2, 0x20(STATEP)
644 movdqu STATE3, 0x30(STATEP)
645 movdqu STATE4, 0x40(STATEP)
652 ENDPROC(crypto_aegis128_aesni_dec)
655 * void crypto_aegis128_aesni_dec_tail(void *state, unsigned int length,
656 * const void *src, void *dst);
658 ENTRY(crypto_aegis128_aesni_dec_tail)
661 /* load the state: */
662 movdqu 0x00(STATEP), STATE0
663 movdqu 0x10(STATEP), STATE1
664 movdqu 0x20(STATEP), STATE2
665 movdqu 0x30(STATEP), STATE3
666 movdqu 0x40(STATEP), STATE4
668 /* decrypt message: */
680 /* mask with byte count: */
686 movdqa .Laegis128_counter, T1
693 /* store the state: */
694 movdqu STATE4, 0x00(STATEP)
695 movdqu STATE0, 0x10(STATEP)
696 movdqu STATE1, 0x20(STATEP)
697 movdqu STATE2, 0x30(STATEP)
698 movdqu STATE3, 0x40(STATEP)
702 ENDPROC(crypto_aegis128_aesni_dec_tail)
705 * void crypto_aegis128_aesni_final(void *state, void *tag_xor,
706 * u64 assoclen, u64 cryptlen);
708 ENTRY(crypto_aegis128_aesni_final)
711 /* load the state: */
712 movdqu 0x00(STATEP), STATE0
713 movdqu 0x10(STATEP), STATE1
714 movdqu 0x20(STATEP), STATE2
715 movdqu 0x30(STATEP), STATE3
716 movdqu 0x40(STATEP), STATE4
718 /* prepare length block: */
723 psllq $3, MSG /* multiply by 8 (to get bit count) */
728 aegis128_update; pxor MSG, STATE4
729 aegis128_update; pxor MSG, STATE3
730 aegis128_update; pxor MSG, STATE2
731 aegis128_update; pxor MSG, STATE1
732 aegis128_update; pxor MSG, STATE0
733 aegis128_update; pxor MSG, STATE4
734 aegis128_update; pxor MSG, STATE3
749 ENDPROC(crypto_aegis128_aesni_final)