xref: /linux/arch/arm/crypto/aes-ce-core.S (revision a4b16dad46576ce08ecb660fc923d0857dcae107)
1/* SPDX-License-Identifier: GPL-2.0-only */
2/*
3 * aes-ce-core.S - AES in CBC/CTR/XTS mode using ARMv8 Crypto Extensions
4 *
5 * Copyright (C) 2015 Linaro Ltd <ard.biesheuvel@linaro.org>
6 */
7
8#include <linux/linkage.h>
9#include <asm/assembler.h>
10
11	.text
12	.arch		armv8-a
13	.fpu		crypto-neon-fp-armv8
14	.align		3
15
16	.macro		enc_round, state, key
17	aese.8		\state, \key
18	aesmc.8		\state, \state
19	.endm
20
21	.macro		dec_round, state, key
22	aesd.8		\state, \key
23	aesimc.8	\state, \state
24	.endm
25
26	.macro		enc_dround, key1, key2
27	enc_round	q0, \key1
28	enc_round	q0, \key2
29	.endm
30
31	.macro		dec_dround, key1, key2
32	dec_round	q0, \key1
33	dec_round	q0, \key2
34	.endm
35
36	.macro		enc_fround, key1, key2, key3
37	enc_round	q0, \key1
38	aese.8		q0, \key2
39	veor		q0, q0, \key3
40	.endm
41
42	.macro		dec_fround, key1, key2, key3
43	dec_round	q0, \key1
44	aesd.8		q0, \key2
45	veor		q0, q0, \key3
46	.endm
47
48	.macro		enc_dround_4x, key1, key2
49	enc_round	q0, \key1
50	enc_round	q1, \key1
51	enc_round	q2, \key1
52	enc_round	q3, \key1
53	enc_round	q0, \key2
54	enc_round	q1, \key2
55	enc_round	q2, \key2
56	enc_round	q3, \key2
57	.endm
58
59	.macro		dec_dround_4x, key1, key2
60	dec_round	q0, \key1
61	dec_round	q1, \key1
62	dec_round	q2, \key1
63	dec_round	q3, \key1
64	dec_round	q0, \key2
65	dec_round	q1, \key2
66	dec_round	q2, \key2
67	dec_round	q3, \key2
68	.endm
69
70	.macro		enc_fround_4x, key1, key2, key3
71	enc_round	q0, \key1
72	enc_round	q1, \key1
73	enc_round	q2, \key1
74	enc_round	q3, \key1
75	aese.8		q0, \key2
76	aese.8		q1, \key2
77	aese.8		q2, \key2
78	aese.8		q3, \key2
79	veor		q0, q0, \key3
80	veor		q1, q1, \key3
81	veor		q2, q2, \key3
82	veor		q3, q3, \key3
83	.endm
84
85	.macro		dec_fround_4x, key1, key2, key3
86	dec_round	q0, \key1
87	dec_round	q1, \key1
88	dec_round	q2, \key1
89	dec_round	q3, \key1
90	aesd.8		q0, \key2
91	aesd.8		q1, \key2
92	aesd.8		q2, \key2
93	aesd.8		q3, \key2
94	veor		q0, q0, \key3
95	veor		q1, q1, \key3
96	veor		q2, q2, \key3
97	veor		q3, q3, \key3
98	.endm
99
100	.macro		do_block, dround, fround
101	cmp		r3, #12			@ which key size?
102	vld1.32		{q10-q11}, [ip]!
103	\dround		q8, q9
104	vld1.32		{q12-q13}, [ip]!
105	\dround		q10, q11
106	vld1.32		{q10-q11}, [ip]!
107	\dround		q12, q13
108	vld1.32		{q12-q13}, [ip]!
109	\dround		q10, q11
110	blo		0f			@ AES-128: 10 rounds
111	vld1.32		{q10-q11}, [ip]!
112	\dround		q12, q13
113	beq		1f			@ AES-192: 12 rounds
114	vld1.32		{q12-q13}, [ip]
115	\dround		q10, q11
1160:	\fround		q12, q13, q14
117	bx		lr
118
1191:	\fround		q10, q11, q14
120	bx		lr
121	.endm
122
123	/*
124	 * Internal, non-AAPCS compliant functions that implement the core AES
125	 * transforms. These should preserve all registers except q0 - q2 and ip
126	 * Arguments:
127	 *   q0        : first in/output block
128	 *   q1        : second in/output block (_4x version only)
129	 *   q2        : third in/output block (_4x version only)
130	 *   q3        : fourth in/output block (_4x version only)
131	 *   q8        : first round key
132	 *   q9        : secound round key
133	 *   q14       : final round key
134	 *   r2        : address of round key array
135	 *   r3        : number of rounds
136	 */
137	.align		6
138aes_encrypt:
139	add		ip, r2, #32		@ 3rd round key
140.Laes_encrypt_tweak:
141	do_block	enc_dround, enc_fround
142ENDPROC(aes_encrypt)
143
144	.align		6
145aes_decrypt:
146	add		ip, r2, #32		@ 3rd round key
147	do_block	dec_dround, dec_fround
148ENDPROC(aes_decrypt)
149
150	.align		6
151aes_encrypt_4x:
152	add		ip, r2, #32		@ 3rd round key
153	do_block	enc_dround_4x, enc_fround_4x
154ENDPROC(aes_encrypt_4x)
155
156	.align		6
157aes_decrypt_4x:
158	add		ip, r2, #32		@ 3rd round key
159	do_block	dec_dround_4x, dec_fround_4x
160ENDPROC(aes_decrypt_4x)
161
162	.macro		prepare_key, rk, rounds
163	add		ip, \rk, \rounds, lsl #4
164	vld1.32		{q8-q9}, [\rk]		@ load first 2 round keys
165	vld1.32		{q14}, [ip]		@ load last round key
166	.endm
167
168	/*
169	 * aes_ecb_encrypt(u8 out[], u8 const in[], u32 const rk[], int rounds,
170	 *		   int blocks)
171	 * aes_ecb_decrypt(u8 out[], u8 const in[], u32 const rk[], int rounds,
172	 *		   int blocks)
173	 */
174ENTRY(ce_aes_ecb_encrypt)
175	push		{r4, lr}
176	ldr		r4, [sp, #8]
177	prepare_key	r2, r3
178.Lecbencloop4x:
179	subs		r4, r4, #4
180	bmi		.Lecbenc1x
181	vld1.8		{q0-q1}, [r1]!
182	vld1.8		{q2-q3}, [r1]!
183	bl		aes_encrypt_4x
184	vst1.8		{q0-q1}, [r0]!
185	vst1.8		{q2-q3}, [r0]!
186	b		.Lecbencloop4x
187.Lecbenc1x:
188	adds		r4, r4, #4
189	beq		.Lecbencout
190.Lecbencloop:
191	vld1.8		{q0}, [r1]!
192	bl		aes_encrypt
193	vst1.8		{q0}, [r0]!
194	subs		r4, r4, #1
195	bne		.Lecbencloop
196.Lecbencout:
197	pop		{r4, pc}
198ENDPROC(ce_aes_ecb_encrypt)
199
200ENTRY(ce_aes_ecb_decrypt)
201	push		{r4, lr}
202	ldr		r4, [sp, #8]
203	prepare_key	r2, r3
204.Lecbdecloop4x:
205	subs		r4, r4, #4
206	bmi		.Lecbdec1x
207	vld1.8		{q0-q1}, [r1]!
208	vld1.8		{q2-q3}, [r1]!
209	bl		aes_decrypt_4x
210	vst1.8		{q0-q1}, [r0]!
211	vst1.8		{q2-q3}, [r0]!
212	b		.Lecbdecloop4x
213.Lecbdec1x:
214	adds		r4, r4, #4
215	beq		.Lecbdecout
216.Lecbdecloop:
217	vld1.8		{q0}, [r1]!
218	bl		aes_decrypt
219	vst1.8		{q0}, [r0]!
220	subs		r4, r4, #1
221	bne		.Lecbdecloop
222.Lecbdecout:
223	pop		{r4, pc}
224ENDPROC(ce_aes_ecb_decrypt)
225
226	/*
227	 * aes_cbc_encrypt(u8 out[], u8 const in[], u32 const rk[], int rounds,
228	 *		   int blocks, u8 iv[])
229	 * aes_cbc_decrypt(u8 out[], u8 const in[], u32 const rk[], int rounds,
230	 *		   int blocks, u8 iv[])
231	 */
232ENTRY(ce_aes_cbc_encrypt)
233	push		{r4-r6, lr}
234	ldrd		r4, r5, [sp, #16]
235	vld1.8		{q0}, [r5]
236	prepare_key	r2, r3
237.Lcbcencloop:
238	vld1.8		{q1}, [r1]!		@ get next pt block
239	veor		q0, q0, q1		@ ..and xor with iv
240	bl		aes_encrypt
241	vst1.8		{q0}, [r0]!
242	subs		r4, r4, #1
243	bne		.Lcbcencloop
244	vst1.8		{q0}, [r5]
245	pop		{r4-r6, pc}
246ENDPROC(ce_aes_cbc_encrypt)
247
248ENTRY(ce_aes_cbc_decrypt)
249	push		{r4-r6, lr}
250	ldrd		r4, r5, [sp, #16]
251	vld1.8		{q15}, [r5]		@ keep iv in q15
252	prepare_key	r2, r3
253.Lcbcdecloop4x:
254	subs		r4, r4, #4
255	bmi		.Lcbcdec1x
256	vld1.8		{q0-q1}, [r1]!
257	vld1.8		{q2-q3}, [r1]!
258	vmov		q4, q0
259	vmov		q5, q1
260	vmov		q6, q2
261	vmov		q7, q3
262	bl		aes_decrypt_4x
263	veor		q0, q0, q15
264	veor		q1, q1, q4
265	veor		q2, q2, q5
266	veor		q3, q3, q6
267	vmov		q15, q7
268	vst1.8		{q0-q1}, [r0]!
269	vst1.8		{q2-q3}, [r0]!
270	b		.Lcbcdecloop4x
271.Lcbcdec1x:
272	adds		r4, r4, #4
273	beq		.Lcbcdecout
274	vmov		q6, q14			@ preserve last round key
275.Lcbcdecloop:
276	vld1.8		{q0}, [r1]!		@ get next ct block
277	veor		q14, q15, q6		@ combine prev ct with last key
278	vmov		q15, q0
279	bl		aes_decrypt
280	vst1.8		{q0}, [r0]!
281	subs		r4, r4, #1
282	bne		.Lcbcdecloop
283.Lcbcdecout:
284	vst1.8		{q15}, [r5]		@ keep iv in q15
285	pop		{r4-r6, pc}
286ENDPROC(ce_aes_cbc_decrypt)
287
288
289	/*
290	 * ce_aes_cbc_cts_encrypt(u8 out[], u8 const in[], u32 const rk[],
291	 *			  int rounds, int bytes, u8 const iv[])
292	 * ce_aes_cbc_cts_decrypt(u8 out[], u8 const in[], u32 const rk[],
293	 *			  int rounds, int bytes, u8 const iv[])
294	 */
295
296ENTRY(ce_aes_cbc_cts_encrypt)
297	push		{r4-r6, lr}
298	ldrd		r4, r5, [sp, #16]
299
300	movw		ip, :lower16:.Lcts_permute_table
301	movt		ip, :upper16:.Lcts_permute_table
302	sub		r4, r4, #16
303	add		lr, ip, #32
304	add		ip, ip, r4
305	sub		lr, lr, r4
306	vld1.8		{q5}, [ip]
307	vld1.8		{q6}, [lr]
308
309	add		ip, r1, r4
310	vld1.8		{q0}, [r1]			@ overlapping loads
311	vld1.8		{q3}, [ip]
312
313	vld1.8		{q1}, [r5]			@ get iv
314	prepare_key	r2, r3
315
316	veor		q0, q0, q1			@ xor with iv
317	bl		aes_encrypt
318
319	vtbl.8		d4, {d0-d1}, d10
320	vtbl.8		d5, {d0-d1}, d11
321	vtbl.8		d2, {d6-d7}, d12
322	vtbl.8		d3, {d6-d7}, d13
323
324	veor		q0, q0, q1
325	bl		aes_encrypt
326
327	add		r4, r0, r4
328	vst1.8		{q2}, [r4]			@ overlapping stores
329	vst1.8		{q0}, [r0]
330
331	pop		{r4-r6, pc}
332ENDPROC(ce_aes_cbc_cts_encrypt)
333
334ENTRY(ce_aes_cbc_cts_decrypt)
335	push		{r4-r6, lr}
336	ldrd		r4, r5, [sp, #16]
337
338	movw		ip, :lower16:.Lcts_permute_table
339	movt		ip, :upper16:.Lcts_permute_table
340	sub		r4, r4, #16
341	add		lr, ip, #32
342	add		ip, ip, r4
343	sub		lr, lr, r4
344	vld1.8		{q5}, [ip]
345	vld1.8		{q6}, [lr]
346
347	add		ip, r1, r4
348	vld1.8		{q0}, [r1]			@ overlapping loads
349	vld1.8		{q1}, [ip]
350
351	vld1.8		{q3}, [r5]			@ get iv
352	prepare_key	r2, r3
353
354	bl		aes_decrypt
355
356	vtbl.8		d4, {d0-d1}, d10
357	vtbl.8		d5, {d0-d1}, d11
358	vtbx.8		d0, {d2-d3}, d12
359	vtbx.8		d1, {d2-d3}, d13
360
361	veor		q1, q1, q2
362	bl		aes_decrypt
363	veor		q0, q0, q3			@ xor with iv
364
365	add		r4, r0, r4
366	vst1.8		{q1}, [r4]			@ overlapping stores
367	vst1.8		{q0}, [r0]
368
369	pop		{r4-r6, pc}
370ENDPROC(ce_aes_cbc_cts_decrypt)
371
372
373	/*
374	 * aes_ctr_encrypt(u8 out[], u8 const in[], u32 const rk[], int rounds,
375	 *		   int blocks, u8 ctr[])
376	 */
377ENTRY(ce_aes_ctr_encrypt)
378	push		{r4-r6, lr}
379	ldrd		r4, r5, [sp, #16]
380	vld1.8		{q7}, [r5]		@ load ctr
381	prepare_key	r2, r3
382	vmov		r6, s31			@ keep swabbed ctr in r6
383	rev		r6, r6
384	cmn		r6, r4			@ 32 bit overflow?
385	bcs		.Lctrloop
386.Lctrloop4x:
387	subs		r4, r4, #4
388	bmi		.Lctr1x
389
390	/*
391	 * NOTE: the sequence below has been carefully tweaked to avoid
392	 * a silicon erratum that exists in Cortex-A57 (#1742098) and
393	 * Cortex-A72 (#1655431) cores, where AESE/AESMC instruction pairs
394	 * may produce an incorrect result if they take their input from a
395	 * register of which a single 32-bit lane has been updated the last
396	 * time it was modified. To work around this, the lanes of registers
397	 * q0-q3 below are not manipulated individually, and the different
398	 * counter values are prepared by successive manipulations of q7.
399	 */
400	add		ip, r6, #1
401	vmov		q0, q7
402	rev		ip, ip
403	add		lr, r6, #2
404	vmov		s31, ip			@ set lane 3 of q1 via q7
405	add		ip, r6, #3
406	rev		lr, lr
407	vmov		q1, q7
408	vmov		s31, lr			@ set lane 3 of q2 via q7
409	rev		ip, ip
410	vmov		q2, q7
411	vmov		s31, ip			@ set lane 3 of q3 via q7
412	add		r6, r6, #4
413	vmov		q3, q7
414
415	vld1.8		{q4-q5}, [r1]!
416	vld1.8		{q6}, [r1]!
417	vld1.8		{q15}, [r1]!
418	bl		aes_encrypt_4x
419	veor		q0, q0, q4
420	veor		q1, q1, q5
421	veor		q2, q2, q6
422	veor		q3, q3, q15
423	rev		ip, r6
424	vst1.8		{q0-q1}, [r0]!
425	vst1.8		{q2-q3}, [r0]!
426	vmov		s31, ip
427	b		.Lctrloop4x
428.Lctr1x:
429	adds		r4, r4, #4
430	beq		.Lctrout
431.Lctrloop:
432	vmov		q0, q7
433	bl		aes_encrypt
434
435	adds		r6, r6, #1		@ increment BE ctr
436	rev		ip, r6
437	vmov		s31, ip
438	bcs		.Lctrcarry
439
440.Lctrcarrydone:
441	subs		r4, r4, #1
442	bmi		.Lctrtailblock		@ blocks < 0 means tail block
443	vld1.8		{q3}, [r1]!
444	veor		q3, q0, q3
445	vst1.8		{q3}, [r0]!
446	bne		.Lctrloop
447
448.Lctrout:
449	vst1.8		{q7}, [r5]		@ return next CTR value
450	pop		{r4-r6, pc}
451
452.Lctrtailblock:
453	vst1.8		{q0}, [r0, :64]		@ return the key stream
454	b		.Lctrout
455
456.Lctrcarry:
457	.irp		sreg, s30, s29, s28
458	vmov		ip, \sreg		@ load next word of ctr
459	rev		ip, ip			@ ... to handle the carry
460	adds		ip, ip, #1
461	rev		ip, ip
462	vmov		\sreg, ip
463	bcc		.Lctrcarrydone
464	.endr
465	b		.Lctrcarrydone
466ENDPROC(ce_aes_ctr_encrypt)
467
468	/*
469	 * aes_xts_encrypt(u8 out[], u8 const in[], u32 const rk1[], int rounds,
470	 *		   int bytes, u8 iv[], u32 const rk2[], int first)
471	 * aes_xts_decrypt(u8 out[], u8 const in[], u32 const rk1[], int rounds,
472	 *		   int bytes, u8 iv[], u32 const rk2[], int first)
473	 */
474
475	.macro		next_tweak, out, in, const, tmp
476	vshr.s64	\tmp, \in, #63
477	vand		\tmp, \tmp, \const
478	vadd.u64	\out, \in, \in
479	vext.8		\tmp, \tmp, \tmp, #8
480	veor		\out, \out, \tmp
481	.endm
482
483ce_aes_xts_init:
484	vmov.i32	d30, #0x87		@ compose tweak mask vector
485	vmovl.u32	q15, d30
486	vshr.u64	d30, d31, #7
487
488	ldrd		r4, r5, [sp, #16]	@ load args
489	ldr		r6, [sp, #28]
490	vld1.8		{q0}, [r5]		@ load iv
491	teq		r6, #1			@ start of a block?
492	bxne		lr
493
494	@ Encrypt the IV in q0 with the second AES key. This should only
495	@ be done at the start of a block.
496	ldr		r6, [sp, #24]		@ load AES key 2
497	prepare_key	r6, r3
498	add		ip, r6, #32		@ 3rd round key of key 2
499	b		.Laes_encrypt_tweak	@ tail call
500ENDPROC(ce_aes_xts_init)
501
502ENTRY(ce_aes_xts_encrypt)
503	push		{r4-r6, lr}
504
505	bl		ce_aes_xts_init		@ run shared prologue
506	prepare_key	r2, r3
507	vmov		q4, q0
508
509	teq		r6, #0			@ start of a block?
510	bne		.Lxtsenc4x
511
512.Lxtsencloop4x:
513	next_tweak	q4, q4, q15, q10
514.Lxtsenc4x:
515	subs		r4, r4, #64
516	bmi		.Lxtsenc1x
517	vld1.8		{q0-q1}, [r1]!		@ get 4 pt blocks
518	vld1.8		{q2-q3}, [r1]!
519	next_tweak	q5, q4, q15, q10
520	veor		q0, q0, q4
521	next_tweak	q6, q5, q15, q10
522	veor		q1, q1, q5
523	next_tweak	q7, q6, q15, q10
524	veor		q2, q2, q6
525	veor		q3, q3, q7
526	bl		aes_encrypt_4x
527	veor		q0, q0, q4
528	veor		q1, q1, q5
529	veor		q2, q2, q6
530	veor		q3, q3, q7
531	vst1.8		{q0-q1}, [r0]!		@ write 4 ct blocks
532	vst1.8		{q2-q3}, [r0]!
533	vmov		q4, q7
534	teq		r4, #0
535	beq		.Lxtsencret
536	b		.Lxtsencloop4x
537.Lxtsenc1x:
538	adds		r4, r4, #64
539	beq		.Lxtsencout
540	subs		r4, r4, #16
541	bmi		.LxtsencctsNx
542.Lxtsencloop:
543	vld1.8		{q0}, [r1]!
544.Lxtsencctsout:
545	veor		q0, q0, q4
546	bl		aes_encrypt
547	veor		q0, q0, q4
548	teq		r4, #0
549	beq		.Lxtsencout
550	subs		r4, r4, #16
551	next_tweak	q4, q4, q15, q6
552	bmi		.Lxtsenccts
553	vst1.8		{q0}, [r0]!
554	b		.Lxtsencloop
555.Lxtsencout:
556	vst1.8		{q0}, [r0]
557.Lxtsencret:
558	vst1.8		{q4}, [r5]
559	pop		{r4-r6, pc}
560
561.LxtsencctsNx:
562	vmov		q0, q3
563	sub		r0, r0, #16
564.Lxtsenccts:
565	movw		ip, :lower16:.Lcts_permute_table
566	movt		ip, :upper16:.Lcts_permute_table
567
568	add		r1, r1, r4		@ rewind input pointer
569	add		r4, r4, #16		@ # bytes in final block
570	add		lr, ip, #32
571	add		ip, ip, r4
572	sub		lr, lr, r4
573	add		r4, r0, r4		@ output address of final block
574
575	vld1.8		{q1}, [r1]		@ load final partial block
576	vld1.8		{q2}, [ip]
577	vld1.8		{q3}, [lr]
578
579	vtbl.8		d4, {d0-d1}, d4
580	vtbl.8		d5, {d0-d1}, d5
581	vtbx.8		d0, {d2-d3}, d6
582	vtbx.8		d1, {d2-d3}, d7
583
584	vst1.8		{q2}, [r4]		@ overlapping stores
585	mov		r4, #0
586	b		.Lxtsencctsout
587ENDPROC(ce_aes_xts_encrypt)
588
589
590ENTRY(ce_aes_xts_decrypt)
591	push		{r4-r6, lr}
592
593	bl		ce_aes_xts_init		@ run shared prologue
594	prepare_key	r2, r3
595	vmov		q4, q0
596
597	/* subtract 16 bytes if we are doing CTS */
598	tst		r4, #0xf
599	subne		r4, r4, #0x10
600
601	teq		r6, #0			@ start of a block?
602	bne		.Lxtsdec4x
603
604.Lxtsdecloop4x:
605	next_tweak	q4, q4, q15, q10
606.Lxtsdec4x:
607	subs		r4, r4, #64
608	bmi		.Lxtsdec1x
609	vld1.8		{q0-q1}, [r1]!		@ get 4 ct blocks
610	vld1.8		{q2-q3}, [r1]!
611	next_tweak	q5, q4, q15, q10
612	veor		q0, q0, q4
613	next_tweak	q6, q5, q15, q10
614	veor		q1, q1, q5
615	next_tweak	q7, q6, q15, q10
616	veor		q2, q2, q6
617	veor		q3, q3, q7
618	bl		aes_decrypt_4x
619	veor		q0, q0, q4
620	veor		q1, q1, q5
621	veor		q2, q2, q6
622	veor		q3, q3, q7
623	vst1.8		{q0-q1}, [r0]!		@ write 4 pt blocks
624	vst1.8		{q2-q3}, [r0]!
625	vmov		q4, q7
626	teq		r4, #0
627	beq		.Lxtsdecout
628	b		.Lxtsdecloop4x
629.Lxtsdec1x:
630	adds		r4, r4, #64
631	beq		.Lxtsdecout
632	subs		r4, r4, #16
633.Lxtsdecloop:
634	vld1.8		{q0}, [r1]!
635	bmi		.Lxtsdeccts
636.Lxtsdecctsout:
637	veor		q0, q0, q4
638	bl		aes_decrypt
639	veor		q0, q0, q4
640	vst1.8		{q0}, [r0]!
641	teq		r4, #0
642	beq		.Lxtsdecout
643	subs		r4, r4, #16
644	next_tweak	q4, q4, q15, q6
645	b		.Lxtsdecloop
646.Lxtsdecout:
647	vst1.8		{q4}, [r5]
648	pop		{r4-r6, pc}
649
650.Lxtsdeccts:
651	movw		ip, :lower16:.Lcts_permute_table
652	movt		ip, :upper16:.Lcts_permute_table
653
654	add		r1, r1, r4		@ rewind input pointer
655	add		r4, r4, #16		@ # bytes in final block
656	add		lr, ip, #32
657	add		ip, ip, r4
658	sub		lr, lr, r4
659	add		r4, r0, r4		@ output address of final block
660
661	next_tweak	q5, q4, q15, q6
662
663	vld1.8		{q1}, [r1]		@ load final partial block
664	vld1.8		{q2}, [ip]
665	vld1.8		{q3}, [lr]
666
667	veor		q0, q0, q5
668	bl		aes_decrypt
669	veor		q0, q0, q5
670
671	vtbl.8		d4, {d0-d1}, d4
672	vtbl.8		d5, {d0-d1}, d5
673	vtbx.8		d0, {d2-d3}, d6
674	vtbx.8		d1, {d2-d3}, d7
675
676	vst1.8		{q2}, [r4]		@ overlapping stores
677	mov		r4, #0
678	b		.Lxtsdecctsout
679ENDPROC(ce_aes_xts_decrypt)
680
681	/*
682	 * u32 ce_aes_sub(u32 input) - use the aese instruction to perform the
683	 *                             AES sbox substitution on each byte in
684	 *                             'input'
685	 */
686ENTRY(ce_aes_sub)
687	vdup.32		q1, r0
688	veor		q0, q0, q0
689	aese.8		q0, q1
690	vmov		r0, s0
691	bx		lr
692ENDPROC(ce_aes_sub)
693
694	/*
695	 * void ce_aes_invert(u8 *dst, u8 *src) - perform the Inverse MixColumns
696	 *                                        operation on round key *src
697	 */
698ENTRY(ce_aes_invert)
699	vld1.32		{q0}, [r1]
700	aesimc.8	q0, q0
701	vst1.32		{q0}, [r0]
702	bx		lr
703ENDPROC(ce_aes_invert)
704
705	.section	".rodata", "a"
706	.align		6
707.Lcts_permute_table:
708	.byte		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
709	.byte		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
710	.byte		 0x0,  0x1,  0x2,  0x3,  0x4,  0x5,  0x6,  0x7
711	.byte		 0x8,  0x9,  0xa,  0xb,  0xc,  0xd,  0xe,  0xf
712	.byte		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
713	.byte		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff
714