1*eb24af5dSJerry Shih/* SPDX-License-Identifier: Apache-2.0 OR BSD-2-Clause */ 2*eb24af5dSJerry Shih// 3*eb24af5dSJerry Shih// This file is dual-licensed, meaning that you can use it under your 4*eb24af5dSJerry Shih// choice of either of the following two licenses: 5*eb24af5dSJerry Shih// 6*eb24af5dSJerry Shih// Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. 7*eb24af5dSJerry Shih// 8*eb24af5dSJerry Shih// Licensed under the Apache License 2.0 (the "License"). You can obtain 9*eb24af5dSJerry Shih// a copy in the file LICENSE in the source distribution or at 10*eb24af5dSJerry Shih// https://www.openssl.org/source/license.html 11*eb24af5dSJerry Shih// 12*eb24af5dSJerry Shih// or 13*eb24af5dSJerry Shih// 14*eb24af5dSJerry Shih// Copyright (c) 2023, Christoph Müllner <christoph.muellner@vrull.eu> 15*eb24af5dSJerry Shih// Copyright (c) 2023, Phoebe Chen <phoebe.chen@sifive.com> 16*eb24af5dSJerry Shih// Copyright (c) 2023, Jerry Shih <jerry.shih@sifive.com> 17*eb24af5dSJerry Shih// Copyright 2024 Google LLC 18*eb24af5dSJerry Shih// All rights reserved. 19*eb24af5dSJerry Shih// 20*eb24af5dSJerry Shih// Redistribution and use in source and binary forms, with or without 21*eb24af5dSJerry Shih// modification, are permitted provided that the following conditions 22*eb24af5dSJerry Shih// are met: 23*eb24af5dSJerry Shih// 1. Redistributions of source code must retain the above copyright 24*eb24af5dSJerry Shih// notice, this list of conditions and the following disclaimer. 25*eb24af5dSJerry Shih// 2. Redistributions in binary form must reproduce the above copyright 26*eb24af5dSJerry Shih// notice, this list of conditions and the following disclaimer in the 27*eb24af5dSJerry Shih// documentation and/or other materials provided with the distribution. 28*eb24af5dSJerry Shih// 29*eb24af5dSJerry Shih// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 30*eb24af5dSJerry Shih// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 31*eb24af5dSJerry Shih// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 32*eb24af5dSJerry Shih// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 33*eb24af5dSJerry Shih// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 34*eb24af5dSJerry Shih// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 35*eb24af5dSJerry Shih// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 36*eb24af5dSJerry Shih// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 37*eb24af5dSJerry Shih// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 38*eb24af5dSJerry Shih// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 39*eb24af5dSJerry Shih// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 40*eb24af5dSJerry Shih 41*eb24af5dSJerry Shih// This file contains macros that are shared by the other aes-*.S files. The 42*eb24af5dSJerry Shih// generated code of these macros depends on the following RISC-V extensions: 43*eb24af5dSJerry Shih// - RV64I 44*eb24af5dSJerry Shih// - RISC-V Vector ('V') with VLEN >= 128 45*eb24af5dSJerry Shih// - RISC-V Vector AES block cipher extension ('Zvkned') 46*eb24af5dSJerry Shih 47*eb24af5dSJerry Shih// Loads the AES round keys from \keyp into vector registers and jumps to code 48*eb24af5dSJerry Shih// specific to the length of the key. Specifically: 49*eb24af5dSJerry Shih// - If AES-128, loads round keys into v1-v11 and jumps to \label128. 50*eb24af5dSJerry Shih// - If AES-192, loads round keys into v1-v13 and jumps to \label192. 51*eb24af5dSJerry Shih// - If AES-256, loads round keys into v1-v15 and continues onwards. 52*eb24af5dSJerry Shih// 53*eb24af5dSJerry Shih// Also sets vl=4 and vtype=e32,m1,ta,ma. Clobbers t0 and t1. 54*eb24af5dSJerry Shih.macro aes_begin keyp, label128, label192 55*eb24af5dSJerry Shih lwu t0, 480(\keyp) // t0 = key length in bytes 56*eb24af5dSJerry Shih li t1, 24 // t1 = key length for AES-192 57*eb24af5dSJerry Shih vsetivli zero, 4, e32, m1, ta, ma 58*eb24af5dSJerry Shih vle32.v v1, (\keyp) 59*eb24af5dSJerry Shih addi \keyp, \keyp, 16 60*eb24af5dSJerry Shih vle32.v v2, (\keyp) 61*eb24af5dSJerry Shih addi \keyp, \keyp, 16 62*eb24af5dSJerry Shih vle32.v v3, (\keyp) 63*eb24af5dSJerry Shih addi \keyp, \keyp, 16 64*eb24af5dSJerry Shih vle32.v v4, (\keyp) 65*eb24af5dSJerry Shih addi \keyp, \keyp, 16 66*eb24af5dSJerry Shih vle32.v v5, (\keyp) 67*eb24af5dSJerry Shih addi \keyp, \keyp, 16 68*eb24af5dSJerry Shih vle32.v v6, (\keyp) 69*eb24af5dSJerry Shih addi \keyp, \keyp, 16 70*eb24af5dSJerry Shih vle32.v v7, (\keyp) 71*eb24af5dSJerry Shih addi \keyp, \keyp, 16 72*eb24af5dSJerry Shih vle32.v v8, (\keyp) 73*eb24af5dSJerry Shih addi \keyp, \keyp, 16 74*eb24af5dSJerry Shih vle32.v v9, (\keyp) 75*eb24af5dSJerry Shih addi \keyp, \keyp, 16 76*eb24af5dSJerry Shih vle32.v v10, (\keyp) 77*eb24af5dSJerry Shih addi \keyp, \keyp, 16 78*eb24af5dSJerry Shih vle32.v v11, (\keyp) 79*eb24af5dSJerry Shih blt t0, t1, \label128 // If AES-128, goto label128. 80*eb24af5dSJerry Shih addi \keyp, \keyp, 16 81*eb24af5dSJerry Shih vle32.v v12, (\keyp) 82*eb24af5dSJerry Shih addi \keyp, \keyp, 16 83*eb24af5dSJerry Shih vle32.v v13, (\keyp) 84*eb24af5dSJerry Shih beq t0, t1, \label192 // If AES-192, goto label192. 85*eb24af5dSJerry Shih // Else, it's AES-256. 86*eb24af5dSJerry Shih addi \keyp, \keyp, 16 87*eb24af5dSJerry Shih vle32.v v14, (\keyp) 88*eb24af5dSJerry Shih addi \keyp, \keyp, 16 89*eb24af5dSJerry Shih vle32.v v15, (\keyp) 90*eb24af5dSJerry Shih.endm 91*eb24af5dSJerry Shih 92*eb24af5dSJerry Shih// Encrypts \data using zvkned instructions, using the round keys loaded into 93*eb24af5dSJerry Shih// v1-v11 (for AES-128), v1-v13 (for AES-192), or v1-v15 (for AES-256). \keylen 94*eb24af5dSJerry Shih// is the AES key length in bits. vl and vtype must already be set 95*eb24af5dSJerry Shih// appropriately. Note that if vl > 4, multiple blocks are encrypted. 96*eb24af5dSJerry Shih.macro aes_encrypt data, keylen 97*eb24af5dSJerry Shih vaesz.vs \data, v1 98*eb24af5dSJerry Shih vaesem.vs \data, v2 99*eb24af5dSJerry Shih vaesem.vs \data, v3 100*eb24af5dSJerry Shih vaesem.vs \data, v4 101*eb24af5dSJerry Shih vaesem.vs \data, v5 102*eb24af5dSJerry Shih vaesem.vs \data, v6 103*eb24af5dSJerry Shih vaesem.vs \data, v7 104*eb24af5dSJerry Shih vaesem.vs \data, v8 105*eb24af5dSJerry Shih vaesem.vs \data, v9 106*eb24af5dSJerry Shih vaesem.vs \data, v10 107*eb24af5dSJerry Shih.if \keylen == 128 108*eb24af5dSJerry Shih vaesef.vs \data, v11 109*eb24af5dSJerry Shih.elseif \keylen == 192 110*eb24af5dSJerry Shih vaesem.vs \data, v11 111*eb24af5dSJerry Shih vaesem.vs \data, v12 112*eb24af5dSJerry Shih vaesef.vs \data, v13 113*eb24af5dSJerry Shih.else 114*eb24af5dSJerry Shih vaesem.vs \data, v11 115*eb24af5dSJerry Shih vaesem.vs \data, v12 116*eb24af5dSJerry Shih vaesem.vs \data, v13 117*eb24af5dSJerry Shih vaesem.vs \data, v14 118*eb24af5dSJerry Shih vaesef.vs \data, v15 119*eb24af5dSJerry Shih.endif 120*eb24af5dSJerry Shih.endm 121*eb24af5dSJerry Shih 122*eb24af5dSJerry Shih// Same as aes_encrypt, but decrypts instead of encrypts. 123*eb24af5dSJerry Shih.macro aes_decrypt data, keylen 124*eb24af5dSJerry Shih.if \keylen == 128 125*eb24af5dSJerry Shih vaesz.vs \data, v11 126*eb24af5dSJerry Shih.elseif \keylen == 192 127*eb24af5dSJerry Shih vaesz.vs \data, v13 128*eb24af5dSJerry Shih vaesdm.vs \data, v12 129*eb24af5dSJerry Shih vaesdm.vs \data, v11 130*eb24af5dSJerry Shih.else 131*eb24af5dSJerry Shih vaesz.vs \data, v15 132*eb24af5dSJerry Shih vaesdm.vs \data, v14 133*eb24af5dSJerry Shih vaesdm.vs \data, v13 134*eb24af5dSJerry Shih vaesdm.vs \data, v12 135*eb24af5dSJerry Shih vaesdm.vs \data, v11 136*eb24af5dSJerry Shih.endif 137*eb24af5dSJerry Shih vaesdm.vs \data, v10 138*eb24af5dSJerry Shih vaesdm.vs \data, v9 139*eb24af5dSJerry Shih vaesdm.vs \data, v8 140*eb24af5dSJerry Shih vaesdm.vs \data, v7 141*eb24af5dSJerry Shih vaesdm.vs \data, v6 142*eb24af5dSJerry Shih vaesdm.vs \data, v5 143*eb24af5dSJerry Shih vaesdm.vs \data, v4 144*eb24af5dSJerry Shih vaesdm.vs \data, v3 145*eb24af5dSJerry Shih vaesdm.vs \data, v2 146*eb24af5dSJerry Shih vaesdf.vs \data, v1 147*eb24af5dSJerry Shih.endm 148*eb24af5dSJerry Shih 149*eb24af5dSJerry Shih// Expands to aes_encrypt or aes_decrypt according to \enc, which is 1 or 0. 150*eb24af5dSJerry Shih.macro aes_crypt data, enc, keylen 151*eb24af5dSJerry Shih.if \enc 152*eb24af5dSJerry Shih aes_encrypt \data, \keylen 153*eb24af5dSJerry Shih.else 154*eb24af5dSJerry Shih aes_decrypt \data, \keylen 155*eb24af5dSJerry Shih.endif 156*eb24af5dSJerry Shih.endm 157