2019-06-04 16:11:33 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2017-01-12 00:41:52 +08:00
|
|
|
/*
|
|
|
|
|
* Scalar AES core transform
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 2017 Linaro Ltd <ard.biesheuvel@linaro.org>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/linkage.h>
|
|
|
|
|
#include <asm/assembler.h>
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
#include <asm/cache.h>
|
2017-01-12 00:41:52 +08:00
|
|
|
|
|
|
|
|
.text
|
|
|
|
|
|
|
|
|
|
rk .req x0
|
|
|
|
|
out .req x1
|
|
|
|
|
in .req x2
|
|
|
|
|
rounds .req x3
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
tt .req x2
|
2017-01-12 00:41:52 +08:00
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
.macro __pair1, sz, op, reg0, reg1, in0, in1e, in1d, shift
|
|
|
|
|
.ifc \op\shift, b0
|
|
|
|
|
ubfiz \reg0, \in0, #2, #8
|
|
|
|
|
ubfiz \reg1, \in1e, #2, #8
|
|
|
|
|
.else
|
2017-01-29 07:25:37 +08:00
|
|
|
ubfx \reg0, \in0, #\shift, #8
|
|
|
|
|
ubfx \reg1, \in1e, #\shift, #8
|
2017-01-12 00:41:52 +08:00
|
|
|
.endif
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* AArch64 cannot do byte size indexed loads from a table containing
|
|
|
|
|
* 32-bit quantities, i.e., 'ldrb w12, [tt, w12, uxtw #2]' is not a
|
|
|
|
|
* valid instruction. So perform the shift explicitly first for the
|
|
|
|
|
* high bytes (the low byte is shifted implicitly by using ubfiz rather
|
|
|
|
|
* than ubfx above)
|
|
|
|
|
*/
|
|
|
|
|
.ifnc \op, b
|
2017-01-29 07:25:37 +08:00
|
|
|
ldr \reg0, [tt, \reg0, uxtw #2]
|
|
|
|
|
ldr \reg1, [tt, \reg1, uxtw #2]
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
.else
|
|
|
|
|
.if \shift > 0
|
|
|
|
|
lsl \reg0, \reg0, #2
|
|
|
|
|
lsl \reg1, \reg1, #2
|
|
|
|
|
.endif
|
|
|
|
|
ldrb \reg0, [tt, \reg0, uxtw]
|
|
|
|
|
ldrb \reg1, [tt, \reg1, uxtw]
|
|
|
|
|
.endif
|
2017-01-29 07:25:37 +08:00
|
|
|
.endm
|
2017-01-12 00:41:52 +08:00
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
.macro __pair0, sz, op, reg0, reg1, in0, in1e, in1d, shift
|
|
|
|
|
ubfx \reg0, \in0, #\shift, #8
|
|
|
|
|
ubfx \reg1, \in1d, #\shift, #8
|
|
|
|
|
ldr\op \reg0, [tt, \reg0, uxtw #\sz]
|
|
|
|
|
ldr\op \reg1, [tt, \reg1, uxtw #\sz]
|
|
|
|
|
.endm
|
|
|
|
|
|
|
|
|
|
.macro __hround, out0, out1, in0, in1, in2, in3, t0, t1, enc, sz, op
|
2017-01-29 07:25:37 +08:00
|
|
|
ldp \out0, \out1, [rk], #8
|
2017-01-12 00:41:52 +08:00
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
__pair\enc \sz, \op, w12, w13, \in0, \in1, \in3, 0
|
|
|
|
|
__pair\enc \sz, \op, w14, w15, \in1, \in2, \in0, 8
|
|
|
|
|
__pair\enc \sz, \op, w16, w17, \in2, \in3, \in1, 16
|
|
|
|
|
__pair\enc \sz, \op, \t0, \t1, \in3, \in0, \in2, 24
|
|
|
|
|
|
|
|
|
|
eor \out0, \out0, w12
|
|
|
|
|
eor \out1, \out1, w13
|
|
|
|
|
eor \out0, \out0, w14, ror #24
|
|
|
|
|
eor \out1, \out1, w15, ror #24
|
|
|
|
|
eor \out0, \out0, w16, ror #16
|
|
|
|
|
eor \out1, \out1, w17, ror #16
|
2017-01-29 07:25:37 +08:00
|
|
|
eor \out0, \out0, \t0, ror #8
|
2017-01-12 00:41:52 +08:00
|
|
|
eor \out1, \out1, \t1, ror #8
|
|
|
|
|
.endm
|
|
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
.macro fround, out0, out1, out2, out3, in0, in1, in2, in3, sz=2, op
|
|
|
|
|
__hround \out0, \out1, \in0, \in1, \in2, \in3, \out2, \out3, 1, \sz, \op
|
|
|
|
|
__hround \out2, \out3, \in2, \in3, \in0, \in1, \in1, \in2, 1, \sz, \op
|
2017-01-12 00:41:52 +08:00
|
|
|
.endm
|
|
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
.macro iround, out0, out1, out2, out3, in0, in1, in2, in3, sz=2, op
|
|
|
|
|
__hround \out0, \out1, \in0, \in3, \in2, \in1, \out2, \out3, 0, \sz, \op
|
|
|
|
|
__hround \out2, \out3, \in2, \in1, \in0, \in3, \in1, \in0, 0, \sz, \op
|
2017-01-12 00:41:52 +08:00
|
|
|
.endm
|
|
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
.macro do_crypt, round, ttab, ltab, bsz
|
|
|
|
|
ldp w4, w5, [in]
|
|
|
|
|
ldp w6, w7, [in, #8]
|
|
|
|
|
ldp w8, w9, [rk], #16
|
|
|
|
|
ldp w10, w11, [rk, #-8]
|
2017-01-12 00:41:52 +08:00
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
CPU_BE( rev w4, w4 )
|
2017-01-12 00:41:52 +08:00
|
|
|
CPU_BE( rev w5, w5 )
|
|
|
|
|
CPU_BE( rev w6, w6 )
|
|
|
|
|
CPU_BE( rev w7, w7 )
|
|
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
eor w4, w4, w8
|
2017-01-12 00:41:52 +08:00
|
|
|
eor w5, w5, w9
|
|
|
|
|
eor w6, w6, w10
|
|
|
|
|
eor w7, w7, w11
|
|
|
|
|
|
2017-01-29 07:25:36 +08:00
|
|
|
adr_l tt, \ttab
|
2017-01-12 00:41:52 +08:00
|
|
|
|
|
|
|
|
tbnz rounds, #1, 1f
|
|
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
0: \round w8, w9, w10, w11, w4, w5, w6, w7
|
|
|
|
|
\round w4, w5, w6, w7, w8, w9, w10, w11
|
2017-01-12 00:41:52 +08:00
|
|
|
|
|
|
|
|
1: subs rounds, rounds, #4
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
\round w8, w9, w10, w11, w4, w5, w6, w7
|
|
|
|
|
b.ls 3f
|
|
|
|
|
2: \round w4, w5, w6, w7, w8, w9, w10, w11
|
|
|
|
|
b 0b
|
|
|
|
|
3: adr_l tt, \ltab
|
|
|
|
|
\round w4, w5, w6, w7, w8, w9, w10, w11, \bsz, b
|
|
|
|
|
|
|
|
|
|
CPU_BE( rev w4, w4 )
|
2017-01-12 00:41:52 +08:00
|
|
|
CPU_BE( rev w5, w5 )
|
|
|
|
|
CPU_BE( rev w6, w6 )
|
|
|
|
|
CPU_BE( rev w7, w7 )
|
|
|
|
|
|
crypto: arm64/aes - avoid expanded lookup tables in the final round
For the final round, avoid the expanded and padded lookup tables
exported by the generic AES driver. Instead, for encryption, we can
perform byte loads from the same table we used for the inner rounds,
which will still be hot in the caches. For decryption, use the inverse
AES Sbox directly, which is 4x smaller than the inverse lookup table
exported by the generic driver.
This should significantly reduce the Dcache footprint of our code,
which makes the code more robust against timing attacks. It does not
introduce any additional module dependencies, given that we already
rely on the core AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-07-24 18:28:20 +08:00
|
|
|
stp w4, w5, [out]
|
|
|
|
|
stp w6, w7, [out, #8]
|
2017-01-12 00:41:52 +08:00
|
|
|
ret
|
|
|
|
|
.endm
|
|
|
|
|
|
2019-12-13 23:49:10 +08:00
|
|
|
SYM_FUNC_START(__aes_arm64_encrypt)
|
2018-01-10 20:11:37 +08:00
|
|
|
do_crypt fround, crypto_ft_tab, crypto_ft_tab + 1, 2
|
2019-12-13 23:49:10 +08:00
|
|
|
SYM_FUNC_END(__aes_arm64_encrypt)
|
2018-01-10 20:11:37 +08:00
|
|
|
|
|
|
|
|
.align 5
|
2019-12-13 23:49:10 +08:00
|
|
|
SYM_FUNC_START(__aes_arm64_decrypt)
|
2019-07-03 03:41:49 +08:00
|
|
|
do_crypt iround, crypto_it_tab, crypto_aes_inv_sbox, 0
|
2019-12-13 23:49:10 +08:00
|
|
|
SYM_FUNC_END(__aes_arm64_decrypt)
|
