1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * AES-NI + SSE2 implementation of AEGIS-128L
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
9 #include <linux/linkage.h>
10 #include <asm/frame.h>
32 .section .rodata.cst16.aegis128l_const, "aM", @progbits, 32
35 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
36 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
38 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
39 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
41 .section .rodata.cst16.aegis128l_counter, "aM", @progbits, 16
44 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
45 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
47 .byte 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17
48 .byte 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
53 * __load_partial: internal ABI
58 * MSG0 - first message block
59 * MSG1 - second message block
126 ENDPROC(__load_partial)
129 * __store_partial: internal ABI
134 * T0 - first message block
135 * T1 - second message block
195 ENDPROC(__store_partial)
199 aesenc STATE0, STATE7
200 aesenc STATE1, STATE0
201 aesenc STATE2, STATE1
202 aesenc STATE3, STATE2
203 aesenc STATE4, STATE3
204 aesenc STATE5, STATE4
205 aesenc STATE6, STATE5
258 movdqu 0x00(STATEP), STATE0
259 movdqu 0x10(STATEP), STATE1
260 movdqu 0x20(STATEP), STATE2
261 movdqu 0x30(STATEP), STATE3
262 movdqu 0x40(STATEP), STATE4
263 movdqu 0x50(STATEP), STATE5
264 movdqu 0x60(STATEP), STATE6
265 movdqu 0x70(STATEP), STATE7
268 .macro state_store s0 s1 s2 s3 s4 s5 s6 s7
269 movdqu \s7, 0x00(STATEP)
270 movdqu \s0, 0x10(STATEP)
271 movdqu \s1, 0x20(STATEP)
272 movdqu \s2, 0x30(STATEP)
273 movdqu \s3, 0x40(STATEP)
274 movdqu \s4, 0x50(STATEP)
275 movdqu \s5, 0x60(STATEP)
276 movdqu \s6, 0x70(STATEP)
280 state_store STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7
284 state_store STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6
288 state_store STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
292 state_store STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4
296 state_store STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3
300 state_store STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2
304 state_store STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1
308 state_store STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0
312 * void crypto_aegis128l_aesni_init(void *state, const void *key, const void *iv);
314 ENTRY(crypto_aegis128l_aesni_init)
330 /* load the constants: */
331 movdqa .Laegis128l_const_0, STATE2
332 movdqa .Laegis128l_const_1, STATE1
333 movdqa STATE1, STATE3
338 /* update 10 times with IV and KEY: */
354 ENDPROC(crypto_aegis128l_aesni_init)
357 movdq\a (\i * 0x20 + 0x00)(SRC), MSG0
358 movdq\a (\i * 0x20 + 0x10)(SRC), MSG1
366 * void crypto_aegis128l_aesni_ad(void *state, unsigned int length,
369 ENTRY(crypto_aegis128l_aesni_ad)
452 ENDPROC(crypto_aegis128l_aesni_ad)
454 .macro crypt m0 m1 s0 s1 s2 s3 s4 s5 s6 s7
469 crypt \m0 \m1 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7
473 crypt \m0 \m1 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6
477 crypt \m0 \m1 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
481 crypt \m0 \m1 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3 STATE4
485 crypt \m0 \m1 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2 STATE3
489 crypt \m0 \m1 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1 STATE2
493 crypt \m0 \m1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0 STATE1
497 crypt \m0 \m1 STATE1 STATE2 STATE3 STATE4 STATE5 STATE6 STATE7 STATE0
500 .macro encrypt_block a i
501 movdq\a (\i * 0x20 + 0x00)(SRC), MSG0
502 movdq\a (\i * 0x20 + 0x10)(SRC), MSG1
506 movdq\a T0, (\i * 0x20 + 0x00)(DST)
507 movdq\a T1, (\i * 0x20 + 0x10)(DST)
516 .macro decrypt_block a i
517 movdq\a (\i * 0x20 + 0x00)(SRC), MSG0
518 movdq\a (\i * 0x20 + 0x10)(SRC), MSG1
520 movdq\a MSG0, (\i * 0x20 + 0x00)(DST)
521 movdq\a MSG1, (\i * 0x20 + 0x10)(DST)
531 * void crypto_aegis128l_aesni_enc(void *state, unsigned int length,
532 * const void *src, void *dst);
534 ENTRY(crypto_aegis128l_aesni_enc)
620 ENDPROC(crypto_aegis128l_aesni_enc)
623 * void crypto_aegis128l_aesni_enc_tail(void *state, unsigned int length,
624 * const void *src, void *dst);
626 ENTRY(crypto_aegis128l_aesni_enc_tail)
631 /* encrypt message: */
646 ENDPROC(crypto_aegis128l_aesni_enc_tail)
649 * void crypto_aegis128l_aesni_dec(void *state, unsigned int length,
650 * const void *src, void *dst);
652 ENTRY(crypto_aegis128l_aesni_dec)
738 ENDPROC(crypto_aegis128l_aesni_dec)
741 * void crypto_aegis128l_aesni_dec_tail(void *state, unsigned int length,
742 * const void *src, void *dst);
744 ENTRY(crypto_aegis128l_aesni_dec_tail)
749 /* decrypt message: */
758 /* mask with byte count: */
765 movdqa .Laegis128l_counter0, T2
766 movdqa .Laegis128l_counter1, T3
778 ENDPROC(crypto_aegis128l_aesni_dec_tail)
781 * void crypto_aegis128l_aesni_final(void *state, void *tag_xor,
782 * u64 assoclen, u64 cryptlen);
784 ENTRY(crypto_aegis128l_aesni_final)
789 /* prepare length block: */
794 psllq $3, MSG0 /* multiply by 8 (to get bit count) */
823 ENDPROC(crypto_aegis128l_aesni_final)