2 * AES modes (ECB/CBC/CTR/XTS) for PPC AES implementation
4 * Copyright (c) 2015 Markus Stockhausen <stockhausen@collogia.de>
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the Free
8 * Software Foundation; either version 2 of the License, or (at your option)
13 #include <asm/ppc_asm.h>
14 #include "aes-spe-regs.h"
16 #ifdef __BIG_ENDIAN__ /* Macros for big endian builds */
18 #define LOAD_DATA(reg, off) \
19 lwz reg,off(rSP); /* load with offset */
20 #define SAVE_DATA(reg, off) \
21 stw reg,off(rDP); /* save with offset */
23 addi rSP,rSP,16; /* increment pointers per bloc */ \
25 #define LOAD_IV(reg, off) \
26 lwz reg,off(rIP); /* IV loading with offset */
27 #define SAVE_IV(reg, off) \
28 stw reg,off(rIP); /* IV saving with offset */
29 #define START_IV /* nothing to reset */
30 #define CBC_DEC 16 /* CBC decrement per block */
31 #define CTR_DEC 1 /* CTR decrement one byte */
33 #else /* Macros for little endian */
35 #define LOAD_DATA(reg, off) \
36 lwbrx reg,0,rSP; /* load reversed */ \
37 addi rSP,rSP,4; /* and increment pointer */
38 #define SAVE_DATA(reg, off) \
39 stwbrx reg,0,rDP; /* save reversed */ \
40 addi rDP,rDP,4; /* and increment pointer */
41 #define NEXT_BLOCK /* nothing todo */
42 #define LOAD_IV(reg, off) \
43 lwbrx reg,0,rIP; /* load reversed */ \
44 addi rIP,rIP,4; /* and increment pointer */
45 #define SAVE_IV(reg, off) \
46 stwbrx reg,0,rIP; /* load reversed */ \
47 addi rIP,rIP,4; /* and increment pointer */
49 subi rIP,rIP,16; /* must reset pointer */
50 #define CBC_DEC 32 /* 2 blocks because of incs */
51 #define CTR_DEC 17 /* 1 block because of incs */
59 stw rI0,96(r1); /* save 32 bit registers */ \
65 lwz rI0,96(r1); /* restore 32 bit registers */ \
72 stw rG0,112(r1); /* save 32 bit registers */ \
79 lwz rG0,112(r1); /* restore 32 bit registers */ \
84 #define INITIALIZE_CRYPT(tab,nr32bitregs) \
86 stwu r1,-160(r1); /* create stack frame */ \
87 lis rT0,tab@h; /* en-/decryption table pointer */ \
88 stw r0,8(r1); /* save link register */ \
92 evstdw r15,24(r1); /* We must save non volatile */ \
93 evstdw r16,32(r1); /* registers. Take the chance */ \
94 evstdw r17,40(r1); /* and save the SPE part too */ \
101 SAVE_##nr32bitregs##_REGS
103 #define FINALIZE_CRYPT(nr32bitregs) \
105 evldw r14,16(r1); /* restore SPE registers */ \
115 LOAD_##nr32bitregs##_REGS \
116 mtlr r0; /* restore link register */ \
118 stw r0,16(r1); /* delete sensitive data */ \
119 stw r0,24(r1); /* that we might have pushed */ \
120 stw r0,32(r1); /* from other context that runs */ \
121 stw r0,40(r1); /* the same code */ \
128 addi r1,r1,160; /* cleanup stack frame */
130 #define ENDIAN_SWAP(t0, t1, s0, s1) \
131 rotrwi t0,s0,8; /* swap endianness for 2 GPRs */ \
133 rlwimi t0,s0,8,8,15; \
134 rlwimi t1,s1,8,8,15; \
135 rlwimi t0,s0,8,24,31; \
136 rlwimi t1,s1,8,24,31;
138 #define GF128_MUL(d0, d1, d2, d3, t0) \
139 li t0,0x87; /* multiplication in GF128 */ \
142 rlwimi d3,d2,0,0,0; /* propagate "carry" bits */ \
144 rlwimi d2,d1,0,0,0; \
146 rlwimi d1,d0,0,0,0; \
147 slwi d0,d0,1; /* shift left 128 bit */ \
151 #define START_KEY(d0, d1, d2, d3) \
163 * ppc_encrypt_aes(u8 *out, const u8 *in, u32 *key_enc,
166 * called from glue layer to encrypt a single 16 byte block
167 * round values are AES128 = 4, AES192 = 5, AES256 = 6
170 _GLOBAL(ppc_encrypt_aes)
171 INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 0)
176 START_KEY(rD0, rD1, rD2, rD3)
190 * ppc_decrypt_aes(u8 *out, const u8 *in, u32 *key_dec,
193 * called from glue layer to decrypt a single 16 byte block
194 * round values are AES128 = 4, AES192 = 5, AES256 = 6
197 _GLOBAL(ppc_decrypt_aes)
198 INITIALIZE_CRYPT(PPC_AES_4K_DECTAB,0)
204 START_KEY(rD0, rD1, rD2, rD3)
218 * ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc,
219 * u32 rounds, u32 bytes);
221 * called from glue layer to encrypt multiple blocks via ECB
222 * Bytes must be larger or equal 16 and only whole blocks are
223 * processed. round values are AES128 = 4, AES192 = 5 and
227 _GLOBAL(ppc_encrypt_ecb)
228 INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 0)
229 ppc_encrypt_ecb_loop:
237 START_KEY(rD0, rD1, rD2, rD3)
248 bt gt,ppc_encrypt_ecb_loop
253 * ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec,
254 * u32 rounds, u32 bytes);
256 * called from glue layer to decrypt multiple blocks via ECB
257 * Bytes must be larger or equal 16 and only whole blocks are
258 * processed. round values are AES128 = 4, AES192 = 5 and
262 _GLOBAL(ppc_decrypt_ecb)
263 INITIALIZE_CRYPT(PPC_AES_4K_DECTAB, 0)
265 ppc_decrypt_ecb_loop:
273 START_KEY(rD0, rD1, rD2, rD3)
284 bt gt,ppc_decrypt_ecb_loop
289 * ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc,
290 * 32 rounds, u32 bytes, u8 *iv);
292 * called from glue layer to encrypt multiple blocks via CBC
293 * Bytes must be larger or equal 16 and only whole blocks are
294 * processed. round values are AES128 = 4, AES192 = 5 and
298 _GLOBAL(ppc_encrypt_cbc)
299 INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 4)
304 ppc_encrypt_cbc_loop:
316 START_KEY(rD0, rD1, rD2, rD3)
327 bt gt,ppc_encrypt_cbc_loop
337 * ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec,
338 * u32 rounds, u32 bytes, u8 *iv);
340 * called from glue layer to decrypt multiple blocks via CBC
341 * round values are AES128 = 4, AES192 = 5, AES256 = 6
344 _GLOBAL(ppc_decrypt_cbc)
345 INITIALIZE_CRYPT(PPC_AES_4K_DECTAB, 4)
352 add rSP,rSP,rLN /* reverse processing */
366 bt lt,ppc_decrypt_cbc_end
367 ppc_decrypt_cbc_loop:
369 START_KEY(rD0, rD1, rD2, rD3)
391 bt gt,ppc_decrypt_cbc_loop
394 START_KEY(rD0, rD1, rD2, rD3)
400 xor rW0,rW0,rI0 /* decrypt with initial IV */
412 * ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc,
413 * u32 rounds, u32 bytes, u8 *iv);
415 * called from glue layer to encrypt/decrypt multiple blocks
416 * via CTR. Number of bytes does not need to be a multiple of
417 * 16. Round values are AES128 = 4, AES192 = 5, AES256 = 6
420 _GLOBAL(ppc_crypt_ctr)
421 INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 4)
428 bt lt,ppc_crypt_ctr_partial
431 START_KEY(rI0, rI1, rI2, rI3)
450 addic rI3,rI3,1 /* increase counter */
456 bt gt,ppc_crypt_ctr_loop
457 ppc_crypt_ctr_partial:
459 bt eq,ppc_crypt_ctr_end
461 START_KEY(rI0, rI1, rI2, rI3)
475 ppc_crypt_ctr_xorbyte:
476 lbzu rW4,1(rIP) /* bytewise xor for partial block */
480 bdnz ppc_crypt_ctr_xorbyte
496 * ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc,
497 * u32 rounds, u32 bytes, u8 *iv, u32 *key_twk);
499 * called from glue layer to encrypt multiple blocks via XTS
500 * If key_twk is given, the initial IV encryption will be
501 * processed too. Round values are AES128 = 4, AES192 = 5,
505 _GLOBAL(ppc_encrypt_xts)
506 INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 8)
512 bt eq,ppc_encrypt_xts_notweak
514 START_KEY(rI0, rI1, rI2, rI3)
520 ppc_encrypt_xts_notweak:
521 ENDIAN_SWAP(rG0, rG1, rI0, rI1)
522 ENDIAN_SWAP(rG2, rG3, rI2, rI3)
523 ppc_encrypt_xts_loop:
534 START_KEY(rD0, rD1, rD2, rD3)
548 GF128_MUL(rG0, rG1, rG2, rG3, rW0)
549 ENDIAN_SWAP(rI0, rI1, rG0, rG1)
550 ENDIAN_SWAP(rI2, rI3, rG2, rG3)
553 bt gt,ppc_encrypt_xts_loop
563 * ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec,
564 * u32 rounds, u32 blocks, u8 *iv, u32 *key_twk);
566 * called from glue layer to decrypt multiple blocks via XTS
567 * If key_twk is given, the initial IV encryption will be
568 * processed too. Round values are AES128 = 4, AES192 = 5,
572 _GLOBAL(ppc_decrypt_xts)
573 INITIALIZE_CRYPT(PPC_AES_4K_DECTAB, 8)
580 bt eq,ppc_decrypt_xts_notweak
583 START_KEY(rI0, rI1, rI2, rI3)
590 ppc_decrypt_xts_notweak:
591 ENDIAN_SWAP(rG0, rG1, rI0, rI1)
592 ENDIAN_SWAP(rG2, rG3, rI2, rI3)
593 ppc_decrypt_xts_loop:
604 START_KEY(rD0, rD1, rD2, rD3)
618 GF128_MUL(rG0, rG1, rG2, rG3, rW0)
619 ENDIAN_SWAP(rI0, rI1, rG0, rG1)
620 ENDIAN_SWAP(rI2, rI3, rG2, rG3)
623 bt gt,ppc_decrypt_xts_loop
projects / releases.git / blob