xref: /linux/arch/x86/crypto/chacha-avx2-x86_64.S (revision 4b132aacb0768ac1e652cf517097ea6f237214b9)
1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/*
3 * ChaCha 256-bit cipher algorithm, x64 AVX2 functions
4 *
5 * Copyright (C) 2015 Martin Willi
6 */
7
8#include <linux/linkage.h>
9
10.section	.rodata.cst32.ROT8, "aM", @progbits, 32
11.align 32
12ROT8:	.octa 0x0e0d0c0f0a09080b0605040702010003
13	.octa 0x0e0d0c0f0a09080b0605040702010003
14
15.section	.rodata.cst32.ROT16, "aM", @progbits, 32
16.align 32
17ROT16:	.octa 0x0d0c0f0e09080b0a0504070601000302
18	.octa 0x0d0c0f0e09080b0a0504070601000302
19
20.section	.rodata.cst32.CTRINC, "aM", @progbits, 32
21.align 32
22CTRINC:	.octa 0x00000003000000020000000100000000
23	.octa 0x00000007000000060000000500000004
24
25.section	.rodata.cst32.CTR2BL, "aM", @progbits, 32
26.align 32
27CTR2BL:	.octa 0x00000000000000000000000000000000
28	.octa 0x00000000000000000000000000000001
29
30.section	.rodata.cst32.CTR4BL, "aM", @progbits, 32
31.align 32
32CTR4BL:	.octa 0x00000000000000000000000000000002
33	.octa 0x00000000000000000000000000000003
34
35.text
36
37SYM_FUNC_START(chacha_2block_xor_avx2)
38	# %rdi: Input state matrix, s
39	# %rsi: up to 2 data blocks output, o
40	# %rdx: up to 2 data blocks input, i
41	# %rcx: input/output length in bytes
42	# %r8d: nrounds
43
44	# This function encrypts two ChaCha blocks by loading the state
45	# matrix twice across four AVX registers. It performs matrix operations
46	# on four words in each matrix in parallel, but requires shuffling to
47	# rearrange the words after each round.
48
49	vzeroupper
50
51	# x0..3[0-2] = s0..3
52	vbroadcasti128	0x00(%rdi),%ymm0
53	vbroadcasti128	0x10(%rdi),%ymm1
54	vbroadcasti128	0x20(%rdi),%ymm2
55	vbroadcasti128	0x30(%rdi),%ymm3
56
57	vpaddd		CTR2BL(%rip),%ymm3,%ymm3
58
59	vmovdqa		%ymm0,%ymm8
60	vmovdqa		%ymm1,%ymm9
61	vmovdqa		%ymm2,%ymm10
62	vmovdqa		%ymm3,%ymm11
63
64	vmovdqa		ROT8(%rip),%ymm4
65	vmovdqa		ROT16(%rip),%ymm5
66
67	mov		%rcx,%rax
68
69.Ldoubleround:
70
71	# x0 += x1, x3 = rotl32(x3 ^ x0, 16)
72	vpaddd		%ymm1,%ymm0,%ymm0
73	vpxor		%ymm0,%ymm3,%ymm3
74	vpshufb		%ymm5,%ymm3,%ymm3
75
76	# x2 += x3, x1 = rotl32(x1 ^ x2, 12)
77	vpaddd		%ymm3,%ymm2,%ymm2
78	vpxor		%ymm2,%ymm1,%ymm1
79	vmovdqa		%ymm1,%ymm6
80	vpslld		$12,%ymm6,%ymm6
81	vpsrld		$20,%ymm1,%ymm1
82	vpor		%ymm6,%ymm1,%ymm1
83
84	# x0 += x1, x3 = rotl32(x3 ^ x0, 8)
85	vpaddd		%ymm1,%ymm0,%ymm0
86	vpxor		%ymm0,%ymm3,%ymm3
87	vpshufb		%ymm4,%ymm3,%ymm3
88
89	# x2 += x3, x1 = rotl32(x1 ^ x2, 7)
90	vpaddd		%ymm3,%ymm2,%ymm2
91	vpxor		%ymm2,%ymm1,%ymm1
92	vmovdqa		%ymm1,%ymm7
93	vpslld		$7,%ymm7,%ymm7
94	vpsrld		$25,%ymm1,%ymm1
95	vpor		%ymm7,%ymm1,%ymm1
96
97	# x1 = shuffle32(x1, MASK(0, 3, 2, 1))
98	vpshufd		$0x39,%ymm1,%ymm1
99	# x2 = shuffle32(x2, MASK(1, 0, 3, 2))
100	vpshufd		$0x4e,%ymm2,%ymm2
101	# x3 = shuffle32(x3, MASK(2, 1, 0, 3))
102	vpshufd		$0x93,%ymm3,%ymm3
103
104	# x0 += x1, x3 = rotl32(x3 ^ x0, 16)
105	vpaddd		%ymm1,%ymm0,%ymm0
106	vpxor		%ymm0,%ymm3,%ymm3
107	vpshufb		%ymm5,%ymm3,%ymm3
108
109	# x2 += x3, x1 = rotl32(x1 ^ x2, 12)
110	vpaddd		%ymm3,%ymm2,%ymm2
111	vpxor		%ymm2,%ymm1,%ymm1
112	vmovdqa		%ymm1,%ymm6
113	vpslld		$12,%ymm6,%ymm6
114	vpsrld		$20,%ymm1,%ymm1
115	vpor		%ymm6,%ymm1,%ymm1
116
117	# x0 += x1, x3 = rotl32(x3 ^ x0, 8)
118	vpaddd		%ymm1,%ymm0,%ymm0
119	vpxor		%ymm0,%ymm3,%ymm3
120	vpshufb		%ymm4,%ymm3,%ymm3
121
122	# x2 += x3, x1 = rotl32(x1 ^ x2, 7)
123	vpaddd		%ymm3,%ymm2,%ymm2
124	vpxor		%ymm2,%ymm1,%ymm1
125	vmovdqa		%ymm1,%ymm7
126	vpslld		$7,%ymm7,%ymm7
127	vpsrld		$25,%ymm1,%ymm1
128	vpor		%ymm7,%ymm1,%ymm1
129
130	# x1 = shuffle32(x1, MASK(2, 1, 0, 3))
131	vpshufd		$0x93,%ymm1,%ymm1
132	# x2 = shuffle32(x2, MASK(1, 0, 3, 2))
133	vpshufd		$0x4e,%ymm2,%ymm2
134	# x3 = shuffle32(x3, MASK(0, 3, 2, 1))
135	vpshufd		$0x39,%ymm3,%ymm3
136
137	sub		$2,%r8d
138	jnz		.Ldoubleround
139
140	# o0 = i0 ^ (x0 + s0)
141	vpaddd		%ymm8,%ymm0,%ymm7
142	cmp		$0x10,%rax
143	jl		.Lxorpart2
144	vpxor		0x00(%rdx),%xmm7,%xmm6
145	vmovdqu		%xmm6,0x00(%rsi)
146	vextracti128	$1,%ymm7,%xmm0
147	# o1 = i1 ^ (x1 + s1)
148	vpaddd		%ymm9,%ymm1,%ymm7
149	cmp		$0x20,%rax
150	jl		.Lxorpart2
151	vpxor		0x10(%rdx),%xmm7,%xmm6
152	vmovdqu		%xmm6,0x10(%rsi)
153	vextracti128	$1,%ymm7,%xmm1
154	# o2 = i2 ^ (x2 + s2)
155	vpaddd		%ymm10,%ymm2,%ymm7
156	cmp		$0x30,%rax
157	jl		.Lxorpart2
158	vpxor		0x20(%rdx),%xmm7,%xmm6
159	vmovdqu		%xmm6,0x20(%rsi)
160	vextracti128	$1,%ymm7,%xmm2
161	# o3 = i3 ^ (x3 + s3)
162	vpaddd		%ymm11,%ymm3,%ymm7
163	cmp		$0x40,%rax
164	jl		.Lxorpart2
165	vpxor		0x30(%rdx),%xmm7,%xmm6
166	vmovdqu		%xmm6,0x30(%rsi)
167	vextracti128	$1,%ymm7,%xmm3
168
169	# xor and write second block
170	vmovdqa		%xmm0,%xmm7
171	cmp		$0x50,%rax
172	jl		.Lxorpart2
173	vpxor		0x40(%rdx),%xmm7,%xmm6
174	vmovdqu		%xmm6,0x40(%rsi)
175
176	vmovdqa		%xmm1,%xmm7
177	cmp		$0x60,%rax
178	jl		.Lxorpart2
179	vpxor		0x50(%rdx),%xmm7,%xmm6
180	vmovdqu		%xmm6,0x50(%rsi)
181
182	vmovdqa		%xmm2,%xmm7
183	cmp		$0x70,%rax
184	jl		.Lxorpart2
185	vpxor		0x60(%rdx),%xmm7,%xmm6
186	vmovdqu		%xmm6,0x60(%rsi)
187
188	vmovdqa		%xmm3,%xmm7
189	cmp		$0x80,%rax
190	jl		.Lxorpart2
191	vpxor		0x70(%rdx),%xmm7,%xmm6
192	vmovdqu		%xmm6,0x70(%rsi)
193
194.Ldone2:
195	vzeroupper
196	RET
197
198.Lxorpart2:
199	# xor remaining bytes from partial register into output
200	mov		%rax,%r9
201	and		$0x0f,%r9
202	jz		.Ldone2
203	and		$~0x0f,%rax
204
205	mov		%rsi,%r11
206
207	lea		8(%rsp),%r10
208	sub		$0x10,%rsp
209	and		$~31,%rsp
210
211	lea		(%rdx,%rax),%rsi
212	mov		%rsp,%rdi
213	mov		%r9,%rcx
214	rep movsb
215
216	vpxor		0x00(%rsp),%xmm7,%xmm7
217	vmovdqa		%xmm7,0x00(%rsp)
218
219	mov		%rsp,%rsi
220	lea		(%r11,%rax),%rdi
221	mov		%r9,%rcx
222	rep movsb
223
224	lea		-8(%r10),%rsp
225	jmp		.Ldone2
226
227SYM_FUNC_END(chacha_2block_xor_avx2)
228
229SYM_FUNC_START(chacha_4block_xor_avx2)
230	# %rdi: Input state matrix, s
231	# %rsi: up to 4 data blocks output, o
232	# %rdx: up to 4 data blocks input, i
233	# %rcx: input/output length in bytes
234	# %r8d: nrounds
235
236	# This function encrypts four ChaCha blocks by loading the state
237	# matrix four times across eight AVX registers. It performs matrix
238	# operations on four words in two matrices in parallel, sequentially
239	# to the operations on the four words of the other two matrices. The
240	# required word shuffling has a rather high latency, we can do the
241	# arithmetic on two matrix-pairs without much slowdown.
242
243	vzeroupper
244
245	# x0..3[0-4] = s0..3
246	vbroadcasti128	0x00(%rdi),%ymm0
247	vbroadcasti128	0x10(%rdi),%ymm1
248	vbroadcasti128	0x20(%rdi),%ymm2
249	vbroadcasti128	0x30(%rdi),%ymm3
250
251	vmovdqa		%ymm0,%ymm4
252	vmovdqa		%ymm1,%ymm5
253	vmovdqa		%ymm2,%ymm6
254	vmovdqa		%ymm3,%ymm7
255
256	vpaddd		CTR2BL(%rip),%ymm3,%ymm3
257	vpaddd		CTR4BL(%rip),%ymm7,%ymm7
258
259	vmovdqa		%ymm0,%ymm11
260	vmovdqa		%ymm1,%ymm12
261	vmovdqa		%ymm2,%ymm13
262	vmovdqa		%ymm3,%ymm14
263	vmovdqa		%ymm7,%ymm15
264
265	vmovdqa		ROT8(%rip),%ymm8
266	vmovdqa		ROT16(%rip),%ymm9
267
268	mov		%rcx,%rax
269
270.Ldoubleround4:
271
272	# x0 += x1, x3 = rotl32(x3 ^ x0, 16)
273	vpaddd		%ymm1,%ymm0,%ymm0
274	vpxor		%ymm0,%ymm3,%ymm3
275	vpshufb		%ymm9,%ymm3,%ymm3
276
277	vpaddd		%ymm5,%ymm4,%ymm4
278	vpxor		%ymm4,%ymm7,%ymm7
279	vpshufb		%ymm9,%ymm7,%ymm7
280
281	# x2 += x3, x1 = rotl32(x1 ^ x2, 12)
282	vpaddd		%ymm3,%ymm2,%ymm2
283	vpxor		%ymm2,%ymm1,%ymm1
284	vmovdqa		%ymm1,%ymm10
285	vpslld		$12,%ymm10,%ymm10
286	vpsrld		$20,%ymm1,%ymm1
287	vpor		%ymm10,%ymm1,%ymm1
288
289	vpaddd		%ymm7,%ymm6,%ymm6
290	vpxor		%ymm6,%ymm5,%ymm5
291	vmovdqa		%ymm5,%ymm10
292	vpslld		$12,%ymm10,%ymm10
293	vpsrld		$20,%ymm5,%ymm5
294	vpor		%ymm10,%ymm5,%ymm5
295
296	# x0 += x1, x3 = rotl32(x3 ^ x0, 8)
297	vpaddd		%ymm1,%ymm0,%ymm0
298	vpxor		%ymm0,%ymm3,%ymm3
299	vpshufb		%ymm8,%ymm3,%ymm3
300
301	vpaddd		%ymm5,%ymm4,%ymm4
302	vpxor		%ymm4,%ymm7,%ymm7
303	vpshufb		%ymm8,%ymm7,%ymm7
304
305	# x2 += x3, x1 = rotl32(x1 ^ x2, 7)
306	vpaddd		%ymm3,%ymm2,%ymm2
307	vpxor		%ymm2,%ymm1,%ymm1
308	vmovdqa		%ymm1,%ymm10
309	vpslld		$7,%ymm10,%ymm10
310	vpsrld		$25,%ymm1,%ymm1
311	vpor		%ymm10,%ymm1,%ymm1
312
313	vpaddd		%ymm7,%ymm6,%ymm6
314	vpxor		%ymm6,%ymm5,%ymm5
315	vmovdqa		%ymm5,%ymm10
316	vpslld		$7,%ymm10,%ymm10
317	vpsrld		$25,%ymm5,%ymm5
318	vpor		%ymm10,%ymm5,%ymm5
319
320	# x1 = shuffle32(x1, MASK(0, 3, 2, 1))
321	vpshufd		$0x39,%ymm1,%ymm1
322	vpshufd		$0x39,%ymm5,%ymm5
323	# x2 = shuffle32(x2, MASK(1, 0, 3, 2))
324	vpshufd		$0x4e,%ymm2,%ymm2
325	vpshufd		$0x4e,%ymm6,%ymm6
326	# x3 = shuffle32(x3, MASK(2, 1, 0, 3))
327	vpshufd		$0x93,%ymm3,%ymm3
328	vpshufd		$0x93,%ymm7,%ymm7
329
330	# x0 += x1, x3 = rotl32(x3 ^ x0, 16)
331	vpaddd		%ymm1,%ymm0,%ymm0
332	vpxor		%ymm0,%ymm3,%ymm3
333	vpshufb		%ymm9,%ymm3,%ymm3
334
335	vpaddd		%ymm5,%ymm4,%ymm4
336	vpxor		%ymm4,%ymm7,%ymm7
337	vpshufb		%ymm9,%ymm7,%ymm7
338
339	# x2 += x3, x1 = rotl32(x1 ^ x2, 12)
340	vpaddd		%ymm3,%ymm2,%ymm2
341	vpxor		%ymm2,%ymm1,%ymm1
342	vmovdqa		%ymm1,%ymm10
343	vpslld		$12,%ymm10,%ymm10
344	vpsrld		$20,%ymm1,%ymm1
345	vpor		%ymm10,%ymm1,%ymm1
346
347	vpaddd		%ymm7,%ymm6,%ymm6
348	vpxor		%ymm6,%ymm5,%ymm5
349	vmovdqa		%ymm5,%ymm10
350	vpslld		$12,%ymm10,%ymm10
351	vpsrld		$20,%ymm5,%ymm5
352	vpor		%ymm10,%ymm5,%ymm5
353
354	# x0 += x1, x3 = rotl32(x3 ^ x0, 8)
355	vpaddd		%ymm1,%ymm0,%ymm0
356	vpxor		%ymm0,%ymm3,%ymm3
357	vpshufb		%ymm8,%ymm3,%ymm3
358
359	vpaddd		%ymm5,%ymm4,%ymm4
360	vpxor		%ymm4,%ymm7,%ymm7
361	vpshufb		%ymm8,%ymm7,%ymm7
362
363	# x2 += x3, x1 = rotl32(x1 ^ x2, 7)
364	vpaddd		%ymm3,%ymm2,%ymm2
365	vpxor		%ymm2,%ymm1,%ymm1
366	vmovdqa		%ymm1,%ymm10
367	vpslld		$7,%ymm10,%ymm10
368	vpsrld		$25,%ymm1,%ymm1
369	vpor		%ymm10,%ymm1,%ymm1
370
371	vpaddd		%ymm7,%ymm6,%ymm6
372	vpxor		%ymm6,%ymm5,%ymm5
373	vmovdqa		%ymm5,%ymm10
374	vpslld		$7,%ymm10,%ymm10
375	vpsrld		$25,%ymm5,%ymm5
376	vpor		%ymm10,%ymm5,%ymm5
377
378	# x1 = shuffle32(x1, MASK(2, 1, 0, 3))
379	vpshufd		$0x93,%ymm1,%ymm1
380	vpshufd		$0x93,%ymm5,%ymm5
381	# x2 = shuffle32(x2, MASK(1, 0, 3, 2))
382	vpshufd		$0x4e,%ymm2,%ymm2
383	vpshufd		$0x4e,%ymm6,%ymm6
384	# x3 = shuffle32(x3, MASK(0, 3, 2, 1))
385	vpshufd		$0x39,%ymm3,%ymm3
386	vpshufd		$0x39,%ymm7,%ymm7
387
388	sub		$2,%r8d
389	jnz		.Ldoubleround4
390
391	# o0 = i0 ^ (x0 + s0), first block
392	vpaddd		%ymm11,%ymm0,%ymm10
393	cmp		$0x10,%rax
394	jl		.Lxorpart4
395	vpxor		0x00(%rdx),%xmm10,%xmm9
396	vmovdqu		%xmm9,0x00(%rsi)
397	vextracti128	$1,%ymm10,%xmm0
398	# o1 = i1 ^ (x1 + s1), first block
399	vpaddd		%ymm12,%ymm1,%ymm10
400	cmp		$0x20,%rax
401	jl		.Lxorpart4
402	vpxor		0x10(%rdx),%xmm10,%xmm9
403	vmovdqu		%xmm9,0x10(%rsi)
404	vextracti128	$1,%ymm10,%xmm1
405	# o2 = i2 ^ (x2 + s2), first block
406	vpaddd		%ymm13,%ymm2,%ymm10
407	cmp		$0x30,%rax
408	jl		.Lxorpart4
409	vpxor		0x20(%rdx),%xmm10,%xmm9
410	vmovdqu		%xmm9,0x20(%rsi)
411	vextracti128	$1,%ymm10,%xmm2
412	# o3 = i3 ^ (x3 + s3), first block
413	vpaddd		%ymm14,%ymm3,%ymm10
414	cmp		$0x40,%rax
415	jl		.Lxorpart4
416	vpxor		0x30(%rdx),%xmm10,%xmm9
417	vmovdqu		%xmm9,0x30(%rsi)
418	vextracti128	$1,%ymm10,%xmm3
419
420	# xor and write second block
421	vmovdqa		%xmm0,%xmm10
422	cmp		$0x50,%rax
423	jl		.Lxorpart4
424	vpxor		0x40(%rdx),%xmm10,%xmm9
425	vmovdqu		%xmm9,0x40(%rsi)
426
427	vmovdqa		%xmm1,%xmm10
428	cmp		$0x60,%rax
429	jl		.Lxorpart4
430	vpxor		0x50(%rdx),%xmm10,%xmm9
431	vmovdqu		%xmm9,0x50(%rsi)
432
433	vmovdqa		%xmm2,%xmm10
434	cmp		$0x70,%rax
435	jl		.Lxorpart4
436	vpxor		0x60(%rdx),%xmm10,%xmm9
437	vmovdqu		%xmm9,0x60(%rsi)
438
439	vmovdqa		%xmm3,%xmm10
440	cmp		$0x80,%rax
441	jl		.Lxorpart4
442	vpxor		0x70(%rdx),%xmm10,%xmm9
443	vmovdqu		%xmm9,0x70(%rsi)
444
445	# o0 = i0 ^ (x0 + s0), third block
446	vpaddd		%ymm11,%ymm4,%ymm10
447	cmp		$0x90,%rax
448	jl		.Lxorpart4
449	vpxor		0x80(%rdx),%xmm10,%xmm9
450	vmovdqu		%xmm9,0x80(%rsi)
451	vextracti128	$1,%ymm10,%xmm4
452	# o1 = i1 ^ (x1 + s1), third block
453	vpaddd		%ymm12,%ymm5,%ymm10
454	cmp		$0xa0,%rax
455	jl		.Lxorpart4
456	vpxor		0x90(%rdx),%xmm10,%xmm9
457	vmovdqu		%xmm9,0x90(%rsi)
458	vextracti128	$1,%ymm10,%xmm5
459	# o2 = i2 ^ (x2 + s2), third block
460	vpaddd		%ymm13,%ymm6,%ymm10
461	cmp		$0xb0,%rax
462	jl		.Lxorpart4
463	vpxor		0xa0(%rdx),%xmm10,%xmm9
464	vmovdqu		%xmm9,0xa0(%rsi)
465	vextracti128	$1,%ymm10,%xmm6
466	# o3 = i3 ^ (x3 + s3), third block
467	vpaddd		%ymm15,%ymm7,%ymm10
468	cmp		$0xc0,%rax
469	jl		.Lxorpart4
470	vpxor		0xb0(%rdx),%xmm10,%xmm9
471	vmovdqu		%xmm9,0xb0(%rsi)
472	vextracti128	$1,%ymm10,%xmm7
473
474	# xor and write fourth block
475	vmovdqa		%xmm4,%xmm10
476	cmp		$0xd0,%rax
477	jl		.Lxorpart4
478	vpxor		0xc0(%rdx),%xmm10,%xmm9
479	vmovdqu		%xmm9,0xc0(%rsi)
480
481	vmovdqa		%xmm5,%xmm10
482	cmp		$0xe0,%rax
483	jl		.Lxorpart4
484	vpxor		0xd0(%rdx),%xmm10,%xmm9
485	vmovdqu		%xmm9,0xd0(%rsi)
486
487	vmovdqa		%xmm6,%xmm10
488	cmp		$0xf0,%rax
489	jl		.Lxorpart4
490	vpxor		0xe0(%rdx),%xmm10,%xmm9
491	vmovdqu		%xmm9,0xe0(%rsi)
492
493	vmovdqa		%xmm7,%xmm10
494	cmp		$0x100,%rax
495	jl		.Lxorpart4
496	vpxor		0xf0(%rdx),%xmm10,%xmm9
497	vmovdqu		%xmm9,0xf0(%rsi)
498
499.Ldone4:
500	vzeroupper
501	RET
502
503.Lxorpart4:
504	# xor remaining bytes from partial register into output
505	mov		%rax,%r9
506	and		$0x0f,%r9
507	jz		.Ldone4
508	and		$~0x0f,%rax
509
510	mov		%rsi,%r11
511
512	lea		8(%rsp),%r10
513	sub		$0x10,%rsp
514	and		$~31,%rsp
515
516	lea		(%rdx,%rax),%rsi
517	mov		%rsp,%rdi
518	mov		%r9,%rcx
519	rep movsb
520
521	vpxor		0x00(%rsp),%xmm10,%xmm10
522	vmovdqa		%xmm10,0x00(%rsp)
523
524	mov		%rsp,%rsi
525	lea		(%r11,%rax),%rdi
526	mov		%r9,%rcx
527	rep movsb
528
529	lea		-8(%r10),%rsp
530	jmp		.Ldone4
531
532SYM_FUNC_END(chacha_4block_xor_avx2)
533
534SYM_FUNC_START(chacha_8block_xor_avx2)
535	# %rdi: Input state matrix, s
536	# %rsi: up to 8 data blocks output, o
537	# %rdx: up to 8 data blocks input, i
538	# %rcx: input/output length in bytes
539	# %r8d: nrounds
540
541	# This function encrypts eight consecutive ChaCha blocks by loading
542	# the state matrix in AVX registers eight times. As we need some
543	# scratch registers, we save the first four registers on the stack. The
544	# algorithm performs each operation on the corresponding word of each
545	# state matrix, hence requires no word shuffling. For final XORing step
546	# we transpose the matrix by interleaving 32-, 64- and then 128-bit
547	# words, which allows us to do XOR in AVX registers. 8/16-bit word
548	# rotation is done with the slightly better performing byte shuffling,
549	# 7/12-bit word rotation uses traditional shift+OR.
550
551	vzeroupper
552	# 4 * 32 byte stack, 32-byte aligned
553	lea		8(%rsp),%r10
554	and		$~31, %rsp
555	sub		$0x80, %rsp
556	mov		%rcx,%rax
557
558	# x0..15[0-7] = s[0..15]
559	vpbroadcastd	0x00(%rdi),%ymm0
560	vpbroadcastd	0x04(%rdi),%ymm1
561	vpbroadcastd	0x08(%rdi),%ymm2
562	vpbroadcastd	0x0c(%rdi),%ymm3
563	vpbroadcastd	0x10(%rdi),%ymm4
564	vpbroadcastd	0x14(%rdi),%ymm5
565	vpbroadcastd	0x18(%rdi),%ymm6
566	vpbroadcastd	0x1c(%rdi),%ymm7
567	vpbroadcastd	0x20(%rdi),%ymm8
568	vpbroadcastd	0x24(%rdi),%ymm9
569	vpbroadcastd	0x28(%rdi),%ymm10
570	vpbroadcastd	0x2c(%rdi),%ymm11
571	vpbroadcastd	0x30(%rdi),%ymm12
572	vpbroadcastd	0x34(%rdi),%ymm13
573	vpbroadcastd	0x38(%rdi),%ymm14
574	vpbroadcastd	0x3c(%rdi),%ymm15
575	# x0..3 on stack
576	vmovdqa		%ymm0,0x00(%rsp)
577	vmovdqa		%ymm1,0x20(%rsp)
578	vmovdqa		%ymm2,0x40(%rsp)
579	vmovdqa		%ymm3,0x60(%rsp)
580
581	vmovdqa		CTRINC(%rip),%ymm1
582	vmovdqa		ROT8(%rip),%ymm2
583	vmovdqa		ROT16(%rip),%ymm3
584
585	# x12 += counter values 0-3
586	vpaddd		%ymm1,%ymm12,%ymm12
587
588.Ldoubleround8:
589	# x0 += x4, x12 = rotl32(x12 ^ x0, 16)
590	vpaddd		0x00(%rsp),%ymm4,%ymm0
591	vmovdqa		%ymm0,0x00(%rsp)
592	vpxor		%ymm0,%ymm12,%ymm12
593	vpshufb		%ymm3,%ymm12,%ymm12
594	# x1 += x5, x13 = rotl32(x13 ^ x1, 16)
595	vpaddd		0x20(%rsp),%ymm5,%ymm0
596	vmovdqa		%ymm0,0x20(%rsp)
597	vpxor		%ymm0,%ymm13,%ymm13
598	vpshufb		%ymm3,%ymm13,%ymm13
599	# x2 += x6, x14 = rotl32(x14 ^ x2, 16)
600	vpaddd		0x40(%rsp),%ymm6,%ymm0
601	vmovdqa		%ymm0,0x40(%rsp)
602	vpxor		%ymm0,%ymm14,%ymm14
603	vpshufb		%ymm3,%ymm14,%ymm14
604	# x3 += x7, x15 = rotl32(x15 ^ x3, 16)
605	vpaddd		0x60(%rsp),%ymm7,%ymm0
606	vmovdqa		%ymm0,0x60(%rsp)
607	vpxor		%ymm0,%ymm15,%ymm15
608	vpshufb		%ymm3,%ymm15,%ymm15
609
610	# x8 += x12, x4 = rotl32(x4 ^ x8, 12)
611	vpaddd		%ymm12,%ymm8,%ymm8
612	vpxor		%ymm8,%ymm4,%ymm4
613	vpslld		$12,%ymm4,%ymm0
614	vpsrld		$20,%ymm4,%ymm4
615	vpor		%ymm0,%ymm4,%ymm4
616	# x9 += x13, x5 = rotl32(x5 ^ x9, 12)
617	vpaddd		%ymm13,%ymm9,%ymm9
618	vpxor		%ymm9,%ymm5,%ymm5
619	vpslld		$12,%ymm5,%ymm0
620	vpsrld		$20,%ymm5,%ymm5
621	vpor		%ymm0,%ymm5,%ymm5
622	# x10 += x14, x6 = rotl32(x6 ^ x10, 12)
623	vpaddd		%ymm14,%ymm10,%ymm10
624	vpxor		%ymm10,%ymm6,%ymm6
625	vpslld		$12,%ymm6,%ymm0
626	vpsrld		$20,%ymm6,%ymm6
627	vpor		%ymm0,%ymm6,%ymm6
628	# x11 += x15, x7 = rotl32(x7 ^ x11, 12)
629	vpaddd		%ymm15,%ymm11,%ymm11
630	vpxor		%ymm11,%ymm7,%ymm7
631	vpslld		$12,%ymm7,%ymm0
632	vpsrld		$20,%ymm7,%ymm7
633	vpor		%ymm0,%ymm7,%ymm7
634
635	# x0 += x4, x12 = rotl32(x12 ^ x0, 8)
636	vpaddd		0x00(%rsp),%ymm4,%ymm0
637	vmovdqa		%ymm0,0x00(%rsp)
638	vpxor		%ymm0,%ymm12,%ymm12
639	vpshufb		%ymm2,%ymm12,%ymm12
640	# x1 += x5, x13 = rotl32(x13 ^ x1, 8)
641	vpaddd		0x20(%rsp),%ymm5,%ymm0
642	vmovdqa		%ymm0,0x20(%rsp)
643	vpxor		%ymm0,%ymm13,%ymm13
644	vpshufb		%ymm2,%ymm13,%ymm13
645	# x2 += x6, x14 = rotl32(x14 ^ x2, 8)
646	vpaddd		0x40(%rsp),%ymm6,%ymm0
647	vmovdqa		%ymm0,0x40(%rsp)
648	vpxor		%ymm0,%ymm14,%ymm14
649	vpshufb		%ymm2,%ymm14,%ymm14
650	# x3 += x7, x15 = rotl32(x15 ^ x3, 8)
651	vpaddd		0x60(%rsp),%ymm7,%ymm0
652	vmovdqa		%ymm0,0x60(%rsp)
653	vpxor		%ymm0,%ymm15,%ymm15
654	vpshufb		%ymm2,%ymm15,%ymm15
655
656	# x8 += x12, x4 = rotl32(x4 ^ x8, 7)
657	vpaddd		%ymm12,%ymm8,%ymm8
658	vpxor		%ymm8,%ymm4,%ymm4
659	vpslld		$7,%ymm4,%ymm0
660	vpsrld		$25,%ymm4,%ymm4
661	vpor		%ymm0,%ymm4,%ymm4
662	# x9 += x13, x5 = rotl32(x5 ^ x9, 7)
663	vpaddd		%ymm13,%ymm9,%ymm9
664	vpxor		%ymm9,%ymm5,%ymm5
665	vpslld		$7,%ymm5,%ymm0
666	vpsrld		$25,%ymm5,%ymm5
667	vpor		%ymm0,%ymm5,%ymm5
668	# x10 += x14, x6 = rotl32(x6 ^ x10, 7)
669	vpaddd		%ymm14,%ymm10,%ymm10
670	vpxor		%ymm10,%ymm6,%ymm6
671	vpslld		$7,%ymm6,%ymm0
672	vpsrld		$25,%ymm6,%ymm6
673	vpor		%ymm0,%ymm6,%ymm6
674	# x11 += x15, x7 = rotl32(x7 ^ x11, 7)
675	vpaddd		%ymm15,%ymm11,%ymm11
676	vpxor		%ymm11,%ymm7,%ymm7
677	vpslld		$7,%ymm7,%ymm0
678	vpsrld		$25,%ymm7,%ymm7
679	vpor		%ymm0,%ymm7,%ymm7
680
681	# x0 += x5, x15 = rotl32(x15 ^ x0, 16)
682	vpaddd		0x00(%rsp),%ymm5,%ymm0
683	vmovdqa		%ymm0,0x00(%rsp)
684	vpxor		%ymm0,%ymm15,%ymm15
685	vpshufb		%ymm3,%ymm15,%ymm15
686	# x1 += x6, x12 = rotl32(x12 ^ x1, 16)%ymm0
687	vpaddd		0x20(%rsp),%ymm6,%ymm0
688	vmovdqa		%ymm0,0x20(%rsp)
689	vpxor		%ymm0,%ymm12,%ymm12
690	vpshufb		%ymm3,%ymm12,%ymm12
691	# x2 += x7, x13 = rotl32(x13 ^ x2, 16)
692	vpaddd		0x40(%rsp),%ymm7,%ymm0
693	vmovdqa		%ymm0,0x40(%rsp)
694	vpxor		%ymm0,%ymm13,%ymm13
695	vpshufb		%ymm3,%ymm13,%ymm13
696	# x3 += x4, x14 = rotl32(x14 ^ x3, 16)
697	vpaddd		0x60(%rsp),%ymm4,%ymm0
698	vmovdqa		%ymm0,0x60(%rsp)
699	vpxor		%ymm0,%ymm14,%ymm14
700	vpshufb		%ymm3,%ymm14,%ymm14
701
702	# x10 += x15, x5 = rotl32(x5 ^ x10, 12)
703	vpaddd		%ymm15,%ymm10,%ymm10
704	vpxor		%ymm10,%ymm5,%ymm5
705	vpslld		$12,%ymm5,%ymm0
706	vpsrld		$20,%ymm5,%ymm5
707	vpor		%ymm0,%ymm5,%ymm5
708	# x11 += x12, x6 = rotl32(x6 ^ x11, 12)
709	vpaddd		%ymm12,%ymm11,%ymm11
710	vpxor		%ymm11,%ymm6,%ymm6
711	vpslld		$12,%ymm6,%ymm0
712	vpsrld		$20,%ymm6,%ymm6
713	vpor		%ymm0,%ymm6,%ymm6
714	# x8 += x13, x7 = rotl32(x7 ^ x8, 12)
715	vpaddd		%ymm13,%ymm8,%ymm8
716	vpxor		%ymm8,%ymm7,%ymm7
717	vpslld		$12,%ymm7,%ymm0
718	vpsrld		$20,%ymm7,%ymm7
719	vpor		%ymm0,%ymm7,%ymm7
720	# x9 += x14, x4 = rotl32(x4 ^ x9, 12)
721	vpaddd		%ymm14,%ymm9,%ymm9
722	vpxor		%ymm9,%ymm4,%ymm4
723	vpslld		$12,%ymm4,%ymm0
724	vpsrld		$20,%ymm4,%ymm4
725	vpor		%ymm0,%ymm4,%ymm4
726
727	# x0 += x5, x15 = rotl32(x15 ^ x0, 8)
728	vpaddd		0x00(%rsp),%ymm5,%ymm0
729	vmovdqa		%ymm0,0x00(%rsp)
730	vpxor		%ymm0,%ymm15,%ymm15
731	vpshufb		%ymm2,%ymm15,%ymm15
732	# x1 += x6, x12 = rotl32(x12 ^ x1, 8)
733	vpaddd		0x20(%rsp),%ymm6,%ymm0
734	vmovdqa		%ymm0,0x20(%rsp)
735	vpxor		%ymm0,%ymm12,%ymm12
736	vpshufb		%ymm2,%ymm12,%ymm12
737	# x2 += x7, x13 = rotl32(x13 ^ x2, 8)
738	vpaddd		0x40(%rsp),%ymm7,%ymm0
739	vmovdqa		%ymm0,0x40(%rsp)
740	vpxor		%ymm0,%ymm13,%ymm13
741	vpshufb		%ymm2,%ymm13,%ymm13
742	# x3 += x4, x14 = rotl32(x14 ^ x3, 8)
743	vpaddd		0x60(%rsp),%ymm4,%ymm0
744	vmovdqa		%ymm0,0x60(%rsp)
745	vpxor		%ymm0,%ymm14,%ymm14
746	vpshufb		%ymm2,%ymm14,%ymm14
747
748	# x10 += x15, x5 = rotl32(x5 ^ x10, 7)
749	vpaddd		%ymm15,%ymm10,%ymm10
750	vpxor		%ymm10,%ymm5,%ymm5
751	vpslld		$7,%ymm5,%ymm0
752	vpsrld		$25,%ymm5,%ymm5
753	vpor		%ymm0,%ymm5,%ymm5
754	# x11 += x12, x6 = rotl32(x6 ^ x11, 7)
755	vpaddd		%ymm12,%ymm11,%ymm11
756	vpxor		%ymm11,%ymm6,%ymm6
757	vpslld		$7,%ymm6,%ymm0
758	vpsrld		$25,%ymm6,%ymm6
759	vpor		%ymm0,%ymm6,%ymm6
760	# x8 += x13, x7 = rotl32(x7 ^ x8, 7)
761	vpaddd		%ymm13,%ymm8,%ymm8
762	vpxor		%ymm8,%ymm7,%ymm7
763	vpslld		$7,%ymm7,%ymm0
764	vpsrld		$25,%ymm7,%ymm7
765	vpor		%ymm0,%ymm7,%ymm7
766	# x9 += x14, x4 = rotl32(x4 ^ x9, 7)
767	vpaddd		%ymm14,%ymm9,%ymm9
768	vpxor		%ymm9,%ymm4,%ymm4
769	vpslld		$7,%ymm4,%ymm0
770	vpsrld		$25,%ymm4,%ymm4
771	vpor		%ymm0,%ymm4,%ymm4
772
773	sub		$2,%r8d
774	jnz		.Ldoubleround8
775
776	# x0..15[0-3] += s[0..15]
777	vpbroadcastd	0x00(%rdi),%ymm0
778	vpaddd		0x00(%rsp),%ymm0,%ymm0
779	vmovdqa		%ymm0,0x00(%rsp)
780	vpbroadcastd	0x04(%rdi),%ymm0
781	vpaddd		0x20(%rsp),%ymm0,%ymm0
782	vmovdqa		%ymm0,0x20(%rsp)
783	vpbroadcastd	0x08(%rdi),%ymm0
784	vpaddd		0x40(%rsp),%ymm0,%ymm0
785	vmovdqa		%ymm0,0x40(%rsp)
786	vpbroadcastd	0x0c(%rdi),%ymm0
787	vpaddd		0x60(%rsp),%ymm0,%ymm0
788	vmovdqa		%ymm0,0x60(%rsp)
789	vpbroadcastd	0x10(%rdi),%ymm0
790	vpaddd		%ymm0,%ymm4,%ymm4
791	vpbroadcastd	0x14(%rdi),%ymm0
792	vpaddd		%ymm0,%ymm5,%ymm5
793	vpbroadcastd	0x18(%rdi),%ymm0
794	vpaddd		%ymm0,%ymm6,%ymm6
795	vpbroadcastd	0x1c(%rdi),%ymm0
796	vpaddd		%ymm0,%ymm7,%ymm7
797	vpbroadcastd	0x20(%rdi),%ymm0
798	vpaddd		%ymm0,%ymm8,%ymm8
799	vpbroadcastd	0x24(%rdi),%ymm0
800	vpaddd		%ymm0,%ymm9,%ymm9
801	vpbroadcastd	0x28(%rdi),%ymm0
802	vpaddd		%ymm0,%ymm10,%ymm10
803	vpbroadcastd	0x2c(%rdi),%ymm0
804	vpaddd		%ymm0,%ymm11,%ymm11
805	vpbroadcastd	0x30(%rdi),%ymm0
806	vpaddd		%ymm0,%ymm12,%ymm12
807	vpbroadcastd	0x34(%rdi),%ymm0
808	vpaddd		%ymm0,%ymm13,%ymm13
809	vpbroadcastd	0x38(%rdi),%ymm0
810	vpaddd		%ymm0,%ymm14,%ymm14
811	vpbroadcastd	0x3c(%rdi),%ymm0
812	vpaddd		%ymm0,%ymm15,%ymm15
813
814	# x12 += counter values 0-3
815	vpaddd		%ymm1,%ymm12,%ymm12
816
817	# interleave 32-bit words in state n, n+1
818	vmovdqa		0x00(%rsp),%ymm0
819	vmovdqa		0x20(%rsp),%ymm1
820	vpunpckldq	%ymm1,%ymm0,%ymm2
821	vpunpckhdq	%ymm1,%ymm0,%ymm1
822	vmovdqa		%ymm2,0x00(%rsp)
823	vmovdqa		%ymm1,0x20(%rsp)
824	vmovdqa		0x40(%rsp),%ymm0
825	vmovdqa		0x60(%rsp),%ymm1
826	vpunpckldq	%ymm1,%ymm0,%ymm2
827	vpunpckhdq	%ymm1,%ymm0,%ymm1
828	vmovdqa		%ymm2,0x40(%rsp)
829	vmovdqa		%ymm1,0x60(%rsp)
830	vmovdqa		%ymm4,%ymm0
831	vpunpckldq	%ymm5,%ymm0,%ymm4
832	vpunpckhdq	%ymm5,%ymm0,%ymm5
833	vmovdqa		%ymm6,%ymm0
834	vpunpckldq	%ymm7,%ymm0,%ymm6
835	vpunpckhdq	%ymm7,%ymm0,%ymm7
836	vmovdqa		%ymm8,%ymm0
837	vpunpckldq	%ymm9,%ymm0,%ymm8
838	vpunpckhdq	%ymm9,%ymm0,%ymm9
839	vmovdqa		%ymm10,%ymm0
840	vpunpckldq	%ymm11,%ymm0,%ymm10
841	vpunpckhdq	%ymm11,%ymm0,%ymm11
842	vmovdqa		%ymm12,%ymm0
843	vpunpckldq	%ymm13,%ymm0,%ymm12
844	vpunpckhdq	%ymm13,%ymm0,%ymm13
845	vmovdqa		%ymm14,%ymm0
846	vpunpckldq	%ymm15,%ymm0,%ymm14
847	vpunpckhdq	%ymm15,%ymm0,%ymm15
848
849	# interleave 64-bit words in state n, n+2
850	vmovdqa		0x00(%rsp),%ymm0
851	vmovdqa		0x40(%rsp),%ymm2
852	vpunpcklqdq	%ymm2,%ymm0,%ymm1
853	vpunpckhqdq	%ymm2,%ymm0,%ymm2
854	vmovdqa		%ymm1,0x00(%rsp)
855	vmovdqa		%ymm2,0x40(%rsp)
856	vmovdqa		0x20(%rsp),%ymm0
857	vmovdqa		0x60(%rsp),%ymm2
858	vpunpcklqdq	%ymm2,%ymm0,%ymm1
859	vpunpckhqdq	%ymm2,%ymm0,%ymm2
860	vmovdqa		%ymm1,0x20(%rsp)
861	vmovdqa		%ymm2,0x60(%rsp)
862	vmovdqa		%ymm4,%ymm0
863	vpunpcklqdq	%ymm6,%ymm0,%ymm4
864	vpunpckhqdq	%ymm6,%ymm0,%ymm6
865	vmovdqa		%ymm5,%ymm0
866	vpunpcklqdq	%ymm7,%ymm0,%ymm5
867	vpunpckhqdq	%ymm7,%ymm0,%ymm7
868	vmovdqa		%ymm8,%ymm0
869	vpunpcklqdq	%ymm10,%ymm0,%ymm8
870	vpunpckhqdq	%ymm10,%ymm0,%ymm10
871	vmovdqa		%ymm9,%ymm0
872	vpunpcklqdq	%ymm11,%ymm0,%ymm9
873	vpunpckhqdq	%ymm11,%ymm0,%ymm11
874	vmovdqa		%ymm12,%ymm0
875	vpunpcklqdq	%ymm14,%ymm0,%ymm12
876	vpunpckhqdq	%ymm14,%ymm0,%ymm14
877	vmovdqa		%ymm13,%ymm0
878	vpunpcklqdq	%ymm15,%ymm0,%ymm13
879	vpunpckhqdq	%ymm15,%ymm0,%ymm15
880
881	# interleave 128-bit words in state n, n+4
882	# xor/write first four blocks
883	vmovdqa		0x00(%rsp),%ymm1
884	vperm2i128	$0x20,%ymm4,%ymm1,%ymm0
885	cmp		$0x0020,%rax
886	jl		.Lxorpart8
887	vpxor		0x0000(%rdx),%ymm0,%ymm0
888	vmovdqu		%ymm0,0x0000(%rsi)
889	vperm2i128	$0x31,%ymm4,%ymm1,%ymm4
890
891	vperm2i128	$0x20,%ymm12,%ymm8,%ymm0
892	cmp		$0x0040,%rax
893	jl		.Lxorpart8
894	vpxor		0x0020(%rdx),%ymm0,%ymm0
895	vmovdqu		%ymm0,0x0020(%rsi)
896	vperm2i128	$0x31,%ymm12,%ymm8,%ymm12
897
898	vmovdqa		0x40(%rsp),%ymm1
899	vperm2i128	$0x20,%ymm6,%ymm1,%ymm0
900	cmp		$0x0060,%rax
901	jl		.Lxorpart8
902	vpxor		0x0040(%rdx),%ymm0,%ymm0
903	vmovdqu		%ymm0,0x0040(%rsi)
904	vperm2i128	$0x31,%ymm6,%ymm1,%ymm6
905
906	vperm2i128	$0x20,%ymm14,%ymm10,%ymm0
907	cmp		$0x0080,%rax
908	jl		.Lxorpart8
909	vpxor		0x0060(%rdx),%ymm0,%ymm0
910	vmovdqu		%ymm0,0x0060(%rsi)
911	vperm2i128	$0x31,%ymm14,%ymm10,%ymm14
912
913	vmovdqa		0x20(%rsp),%ymm1
914	vperm2i128	$0x20,%ymm5,%ymm1,%ymm0
915	cmp		$0x00a0,%rax
916	jl		.Lxorpart8
917	vpxor		0x0080(%rdx),%ymm0,%ymm0
918	vmovdqu		%ymm0,0x0080(%rsi)
919	vperm2i128	$0x31,%ymm5,%ymm1,%ymm5
920
921	vperm2i128	$0x20,%ymm13,%ymm9,%ymm0
922	cmp		$0x00c0,%rax
923	jl		.Lxorpart8
924	vpxor		0x00a0(%rdx),%ymm0,%ymm0
925	vmovdqu		%ymm0,0x00a0(%rsi)
926	vperm2i128	$0x31,%ymm13,%ymm9,%ymm13
927
928	vmovdqa		0x60(%rsp),%ymm1
929	vperm2i128	$0x20,%ymm7,%ymm1,%ymm0
930	cmp		$0x00e0,%rax
931	jl		.Lxorpart8
932	vpxor		0x00c0(%rdx),%ymm0,%ymm0
933	vmovdqu		%ymm0,0x00c0(%rsi)
934	vperm2i128	$0x31,%ymm7,%ymm1,%ymm7
935
936	vperm2i128	$0x20,%ymm15,%ymm11,%ymm0
937	cmp		$0x0100,%rax
938	jl		.Lxorpart8
939	vpxor		0x00e0(%rdx),%ymm0,%ymm0
940	vmovdqu		%ymm0,0x00e0(%rsi)
941	vperm2i128	$0x31,%ymm15,%ymm11,%ymm15
942
943	# xor remaining blocks, write to output
944	vmovdqa		%ymm4,%ymm0
945	cmp		$0x0120,%rax
946	jl		.Lxorpart8
947	vpxor		0x0100(%rdx),%ymm0,%ymm0
948	vmovdqu		%ymm0,0x0100(%rsi)
949
950	vmovdqa		%ymm12,%ymm0
951	cmp		$0x0140,%rax
952	jl		.Lxorpart8
953	vpxor		0x0120(%rdx),%ymm0,%ymm0
954	vmovdqu		%ymm0,0x0120(%rsi)
955
956	vmovdqa		%ymm6,%ymm0
957	cmp		$0x0160,%rax
958	jl		.Lxorpart8
959	vpxor		0x0140(%rdx),%ymm0,%ymm0
960	vmovdqu		%ymm0,0x0140(%rsi)
961
962	vmovdqa		%ymm14,%ymm0
963	cmp		$0x0180,%rax
964	jl		.Lxorpart8
965	vpxor		0x0160(%rdx),%ymm0,%ymm0
966	vmovdqu		%ymm0,0x0160(%rsi)
967
968	vmovdqa		%ymm5,%ymm0
969	cmp		$0x01a0,%rax
970	jl		.Lxorpart8
971	vpxor		0x0180(%rdx),%ymm0,%ymm0
972	vmovdqu		%ymm0,0x0180(%rsi)
973
974	vmovdqa		%ymm13,%ymm0
975	cmp		$0x01c0,%rax
976	jl		.Lxorpart8
977	vpxor		0x01a0(%rdx),%ymm0,%ymm0
978	vmovdqu		%ymm0,0x01a0(%rsi)
979
980	vmovdqa		%ymm7,%ymm0
981	cmp		$0x01e0,%rax
982	jl		.Lxorpart8
983	vpxor		0x01c0(%rdx),%ymm0,%ymm0
984	vmovdqu		%ymm0,0x01c0(%rsi)
985
986	vmovdqa		%ymm15,%ymm0
987	cmp		$0x0200,%rax
988	jl		.Lxorpart8
989	vpxor		0x01e0(%rdx),%ymm0,%ymm0
990	vmovdqu		%ymm0,0x01e0(%rsi)
991
992.Ldone8:
993	vzeroupper
994	lea		-8(%r10),%rsp
995	RET
996
997.Lxorpart8:
998	# xor remaining bytes from partial register into output
999	mov		%rax,%r9
1000	and		$0x1f,%r9
1001	jz		.Ldone8
1002	and		$~0x1f,%rax
1003
1004	mov		%rsi,%r11
1005
1006	lea		(%rdx,%rax),%rsi
1007	mov		%rsp,%rdi
1008	mov		%r9,%rcx
1009	rep movsb
1010
1011	vpxor		0x00(%rsp),%ymm0,%ymm0
1012	vmovdqa		%ymm0,0x00(%rsp)
1013
1014	mov		%rsp,%rsi
1015	lea		(%r11,%rax),%rdi
1016	mov		%r9,%rcx
1017	rep movsb
1018
1019	jmp		.Ldone8
1020
1021SYM_FUNC_END(chacha_8block_xor_avx2)
1022