1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * AES-NI + SSE2 implementation of AEGIS-128L
5 * Copyright (c) 2017-2018 Ondrej Mosnacek <omosnacek@gmail.com>
6 * Copyright (C) 2017-2018 Red Hat, Inc. All rights reserved.
9 #include <linux/linkage.h>
10 #include <asm/frame.h>
29 .section .rodata.cst16.aegis256_const, "aM", @progbits, 32
32 .byte 0x00, 0x01, 0x01, 0x02, 0x03, 0x05, 0x08, 0x0d
33 .byte 0x15, 0x22, 0x37, 0x59, 0x90, 0xe9, 0x79, 0x62
35 .byte 0xdb, 0x3d, 0x18, 0x55, 0x6d, 0xc2, 0x2f, 0xf1
36 .byte 0x20, 0x11, 0x31, 0x42, 0x73, 0xb5, 0x28, 0xdd
38 .section .rodata.cst16.aegis256_counter, "aM", @progbits, 16
41 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
42 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
47 * __load_partial: internal ABI
110 ENDPROC(__load_partial)
113 * __store_partial: internal ABI
168 ENDPROC(__store_partial)
172 aesenc STATE0, STATE5
173 aesenc STATE1, STATE0
174 aesenc STATE2, STATE1
175 aesenc STATE3, STATE2
176 aesenc STATE4, STATE3
211 movdqu 0x00(STATEP), STATE0
212 movdqu 0x10(STATEP), STATE1
213 movdqu 0x20(STATEP), STATE2
214 movdqu 0x30(STATEP), STATE3
215 movdqu 0x40(STATEP), STATE4
216 movdqu 0x50(STATEP), STATE5
219 .macro state_store s0 s1 s2 s3 s4 s5
220 movdqu \s5, 0x00(STATEP)
221 movdqu \s0, 0x10(STATEP)
222 movdqu \s1, 0x20(STATEP)
223 movdqu \s2, 0x30(STATEP)
224 movdqu \s3, 0x40(STATEP)
225 movdqu \s4, 0x50(STATEP)
229 state_store STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
233 state_store STATE5 STATE0 STATE1 STATE2 STATE3 STATE4
237 state_store STATE4 STATE5 STATE0 STATE1 STATE2 STATE3
241 state_store STATE3 STATE4 STATE5 STATE0 STATE1 STATE2
245 state_store STATE2 STATE3 STATE4 STATE5 STATE0 STATE1
249 state_store STATE1 STATE2 STATE3 STATE4 STATE5 STATE0
253 * void crypto_aegis256_aesni_init(void *state, const void *key, const void *iv);
255 ENTRY(crypto_aegis256_aesni_init)
259 movdqa 0x00(%rsi), MSG
260 movdqa 0x10(%rsi), T1
265 movdqu 0x00(%rdx), T2
266 movdqu 0x10(%rdx), T3
272 /* load the constants: */
273 movdqa .Laegis256_const_0, STATE3
274 movdqa .Laegis256_const_1, STATE2
278 /* update 10 times with IV and KEY: */
300 ENDPROC(crypto_aegis256_aesni_init)
303 movdq\a (\i * 0x10)(SRC), MSG
311 * void crypto_aegis256_aesni_ad(void *state, unsigned int length,
314 ENTRY(crypto_aegis256_aesni_ad)
383 ENDPROC(crypto_aegis256_aesni_ad)
385 .macro crypt m s0 s1 s2 s3 s4 s5
395 crypt \m STATE0 STATE1 STATE2 STATE3 STATE4 STATE5
399 crypt \m STATE5 STATE0 STATE1 STATE2 STATE3 STATE4
403 crypt \m STATE4 STATE5 STATE0 STATE1 STATE2 STATE3
407 crypt \m STATE3 STATE4 STATE5 STATE0 STATE1 STATE2
411 crypt \m STATE2 STATE3 STATE4 STATE5 STATE0 STATE1
415 crypt \m STATE1 STATE2 STATE3 STATE4 STATE5 STATE0
418 .macro encrypt_block a i
419 movdq\a (\i * 0x10)(SRC), MSG
422 movdq\a T0, (\i * 0x10)(DST)
431 .macro decrypt_block a i
432 movdq\a (\i * 0x10)(SRC), MSG
434 movdq\a MSG, (\i * 0x10)(DST)
444 * void crypto_aegis256_aesni_enc(void *state, unsigned int length,
445 * const void *src, void *dst);
447 ENTRY(crypto_aegis256_aesni_enc)
519 ENDPROC(crypto_aegis256_aesni_enc)
522 * void crypto_aegis256_aesni_enc_tail(void *state, unsigned int length,
523 * const void *src, void *dst);
525 ENTRY(crypto_aegis256_aesni_enc_tail)
530 /* encrypt message: */
544 ENDPROC(crypto_aegis256_aesni_enc_tail)
547 * void crypto_aegis256_aesni_dec(void *state, unsigned int length,
548 * const void *src, void *dst);
550 ENTRY(crypto_aegis256_aesni_dec)
622 ENDPROC(crypto_aegis256_aesni_dec)
625 * void crypto_aegis256_aesni_dec_tail(void *state, unsigned int length,
626 * const void *src, void *dst);
628 ENTRY(crypto_aegis256_aesni_dec_tail)
633 /* decrypt message: */
641 /* mask with byte count: */
647 movdqa .Laegis256_counter, T1
657 ENDPROC(crypto_aegis256_aesni_dec_tail)
660 * void crypto_aegis256_aesni_final(void *state, void *tag_xor,
661 * u64 assoclen, u64 cryptlen);
663 ENTRY(crypto_aegis256_aesni_final)
668 /* prepare length block: */
673 psllq $3, MSG /* multiply by 8 (to get bit count) */
700 ENDPROC(crypto_aegis256_aesni_final)