xref: /linux/arch/x86/crypto/sha1_ni_asm.S (revision 32f34bf7e44eeaa241fb845d6f52af5104bc30fd)
1/*
2 * Intel SHA Extensions optimized implementation of a SHA-1 update function
3 *
4 * This file is provided under a dual BSD/GPLv2 license.  When using or
5 * redistributing this file, you may do so under either license.
6 *
7 * GPL LICENSE SUMMARY
8 *
9 * Copyright(c) 2015 Intel Corporation.
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of version 2 of the GNU General Public License as
13 * published by the Free Software Foundation.
14 *
15 * This program is distributed in the hope that it will be useful, but
16 * WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
18 * General Public License for more details.
19 *
20 * Contact Information:
21 * 	Sean Gulley <sean.m.gulley@intel.com>
22 * 	Tim Chen <tim.c.chen@linux.intel.com>
23 *
24 * BSD LICENSE
25 *
26 * Copyright(c) 2015 Intel Corporation.
27 *
28 * Redistribution and use in source and binary forms, with or without
29 * modification, are permitted provided that the following conditions
30 * are met:
31 *
32 * 	* Redistributions of source code must retain the above copyright
33 * 	  notice, this list of conditions and the following disclaimer.
34 * 	* Redistributions in binary form must reproduce the above copyright
35 * 	  notice, this list of conditions and the following disclaimer in
36 * 	  the documentation and/or other materials provided with the
37 * 	  distribution.
38 * 	* Neither the name of Intel Corporation nor the names of its
39 * 	  contributors may be used to endorse or promote products derived
40 * 	  from this software without specific prior written permission.
41 *
42 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
43 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
44 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
45 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
46 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
47 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
48 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
49 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
50 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
51 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
52 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
53 *
54 */
55
56#include <linux/linkage.h>
57#include <linux/cfi_types.h>
58
59#define DIGEST_PTR	%rdi	/* 1st arg */
60#define DATA_PTR	%rsi	/* 2nd arg */
61#define NUM_BLKS	%rdx	/* 3rd arg */
62
63/* gcc conversion */
64#define FRAME_SIZE	32	/* space for 2x16 bytes */
65
66#define ABCD		%xmm0
67#define E0		%xmm1	/* Need two E's b/c they ping pong */
68#define E1		%xmm2
69#define MSG0		%xmm3
70#define MSG1		%xmm4
71#define MSG2		%xmm5
72#define MSG3		%xmm6
73#define SHUF_MASK	%xmm7
74
75
76/*
77 * Intel SHA Extensions optimized implementation of a SHA-1 update function
78 *
79 * The function takes a pointer to the current hash values, a pointer to the
80 * input data, and a number of 64 byte blocks to process.  Once all blocks have
81 * been processed, the digest pointer is  updated with the resulting hash value.
82 * The function only processes complete blocks, there is no functionality to
83 * store partial blocks. All message padding and hash value initialization must
84 * be done outside the update function.
85 *
86 * The indented lines in the loop are instructions related to rounds processing.
87 * The non-indented lines are instructions related to the message schedule.
88 *
89 * void sha1_ni_transform(uint32_t *digest, const void *data,
90		uint32_t numBlocks)
91 * digest : pointer to digest
92 * data: pointer to input data
93 * numBlocks: Number of blocks to process
94 */
95.text
96.align 32
97SYM_TYPED_FUNC_START(sha1_ni_transform)
98	push		%rbp
99	mov		%rsp, %rbp
100	sub		$FRAME_SIZE, %rsp
101	and		$~0xF, %rsp
102
103	shl		$6, NUM_BLKS		/* convert to bytes */
104	jz		.Ldone_hash
105	add		DATA_PTR, NUM_BLKS	/* pointer to end of data */
106
107	/* load initial hash values */
108	pinsrd		$3, 1*16(DIGEST_PTR), E0
109	movdqu		0*16(DIGEST_PTR), ABCD
110	pand		UPPER_WORD_MASK(%rip), E0
111	pshufd		$0x1B, ABCD, ABCD
112
113	movdqa		PSHUFFLE_BYTE_FLIP_MASK(%rip), SHUF_MASK
114
115.Lloop0:
116	/* Save hash values for addition after rounds */
117	movdqa		E0, (0*16)(%rsp)
118	movdqa		ABCD, (1*16)(%rsp)
119
120	/* Rounds 0-3 */
121	movdqu		0*16(DATA_PTR), MSG0
122	pshufb		SHUF_MASK, MSG0
123		paddd		MSG0, E0
124		movdqa		ABCD, E1
125		sha1rnds4	$0, E0, ABCD
126
127	/* Rounds 4-7 */
128	movdqu		1*16(DATA_PTR), MSG1
129	pshufb		SHUF_MASK, MSG1
130		sha1nexte	MSG1, E1
131		movdqa		ABCD, E0
132		sha1rnds4	$0, E1, ABCD
133	sha1msg1	MSG1, MSG0
134
135	/* Rounds 8-11 */
136	movdqu		2*16(DATA_PTR), MSG2
137	pshufb		SHUF_MASK, MSG2
138		sha1nexte	MSG2, E0
139		movdqa		ABCD, E1
140		sha1rnds4	$0, E0, ABCD
141	sha1msg1	MSG2, MSG1
142	pxor		MSG2, MSG0
143
144	/* Rounds 12-15 */
145	movdqu		3*16(DATA_PTR), MSG3
146	pshufb		SHUF_MASK, MSG3
147		sha1nexte	MSG3, E1
148		movdqa		ABCD, E0
149	sha1msg2	MSG3, MSG0
150		sha1rnds4	$0, E1, ABCD
151	sha1msg1	MSG3, MSG2
152	pxor		MSG3, MSG1
153
154	/* Rounds 16-19 */
155		sha1nexte	MSG0, E0
156		movdqa		ABCD, E1
157	sha1msg2	MSG0, MSG1
158		sha1rnds4	$0, E0, ABCD
159	sha1msg1	MSG0, MSG3
160	pxor		MSG0, MSG2
161
162	/* Rounds 20-23 */
163		sha1nexte	MSG1, E1
164		movdqa		ABCD, E0
165	sha1msg2	MSG1, MSG2
166		sha1rnds4	$1, E1, ABCD
167	sha1msg1	MSG1, MSG0
168	pxor		MSG1, MSG3
169
170	/* Rounds 24-27 */
171		sha1nexte	MSG2, E0
172		movdqa		ABCD, E1
173	sha1msg2	MSG2, MSG3
174		sha1rnds4	$1, E0, ABCD
175	sha1msg1	MSG2, MSG1
176	pxor		MSG2, MSG0
177
178	/* Rounds 28-31 */
179		sha1nexte	MSG3, E1
180		movdqa		ABCD, E0
181	sha1msg2	MSG3, MSG0
182		sha1rnds4	$1, E1, ABCD
183	sha1msg1	MSG3, MSG2
184	pxor		MSG3, MSG1
185
186	/* Rounds 32-35 */
187		sha1nexte	MSG0, E0
188		movdqa		ABCD, E1
189	sha1msg2	MSG0, MSG1
190		sha1rnds4	$1, E0, ABCD
191	sha1msg1	MSG0, MSG3
192	pxor		MSG0, MSG2
193
194	/* Rounds 36-39 */
195		sha1nexte	MSG1, E1
196		movdqa		ABCD, E0
197	sha1msg2	MSG1, MSG2
198		sha1rnds4	$1, E1, ABCD
199	sha1msg1	MSG1, MSG0
200	pxor		MSG1, MSG3
201
202	/* Rounds 40-43 */
203		sha1nexte	MSG2, E0
204		movdqa		ABCD, E1
205	sha1msg2	MSG2, MSG3
206		sha1rnds4	$2, E0, ABCD
207	sha1msg1	MSG2, MSG1
208	pxor		MSG2, MSG0
209
210	/* Rounds 44-47 */
211		sha1nexte	MSG3, E1
212		movdqa		ABCD, E0
213	sha1msg2	MSG3, MSG0
214		sha1rnds4	$2, E1, ABCD
215	sha1msg1	MSG3, MSG2
216	pxor		MSG3, MSG1
217
218	/* Rounds 48-51 */
219		sha1nexte	MSG0, E0
220		movdqa		ABCD, E1
221	sha1msg2	MSG0, MSG1
222		sha1rnds4	$2, E0, ABCD
223	sha1msg1	MSG0, MSG3
224	pxor		MSG0, MSG2
225
226	/* Rounds 52-55 */
227		sha1nexte	MSG1, E1
228		movdqa		ABCD, E0
229	sha1msg2	MSG1, MSG2
230		sha1rnds4	$2, E1, ABCD
231	sha1msg1	MSG1, MSG0
232	pxor		MSG1, MSG3
233
234	/* Rounds 56-59 */
235		sha1nexte	MSG2, E0
236		movdqa		ABCD, E1
237	sha1msg2	MSG2, MSG3
238		sha1rnds4	$2, E0, ABCD
239	sha1msg1	MSG2, MSG1
240	pxor		MSG2, MSG0
241
242	/* Rounds 60-63 */
243		sha1nexte	MSG3, E1
244		movdqa		ABCD, E0
245	sha1msg2	MSG3, MSG0
246		sha1rnds4	$3, E1, ABCD
247	sha1msg1	MSG3, MSG2
248	pxor		MSG3, MSG1
249
250	/* Rounds 64-67 */
251		sha1nexte	MSG0, E0
252		movdqa		ABCD, E1
253	sha1msg2	MSG0, MSG1
254		sha1rnds4	$3, E0, ABCD
255	sha1msg1	MSG0, MSG3
256	pxor		MSG0, MSG2
257
258	/* Rounds 68-71 */
259		sha1nexte	MSG1, E1
260		movdqa		ABCD, E0
261	sha1msg2	MSG1, MSG2
262		sha1rnds4	$3, E1, ABCD
263	pxor		MSG1, MSG3
264
265	/* Rounds 72-75 */
266		sha1nexte	MSG2, E0
267		movdqa		ABCD, E1
268	sha1msg2	MSG2, MSG3
269		sha1rnds4	$3, E0, ABCD
270
271	/* Rounds 76-79 */
272		sha1nexte	MSG3, E1
273		movdqa		ABCD, E0
274		sha1rnds4	$3, E1, ABCD
275
276	/* Add current hash values with previously saved */
277	sha1nexte	(0*16)(%rsp), E0
278	paddd		(1*16)(%rsp), ABCD
279
280	/* Increment data pointer and loop if more to process */
281	add		$64, DATA_PTR
282	cmp		NUM_BLKS, DATA_PTR
283	jne		.Lloop0
284
285	/* Write hash values back in the correct order */
286	pshufd		$0x1B, ABCD, ABCD
287	movdqu		ABCD, 0*16(DIGEST_PTR)
288	pextrd		$3, E0, 1*16(DIGEST_PTR)
289
290.Ldone_hash:
291	mov		%rbp, %rsp
292	pop		%rbp
293
294	RET
295SYM_FUNC_END(sha1_ni_transform)
296
297.section	.rodata.cst16.PSHUFFLE_BYTE_FLIP_MASK, "aM", @progbits, 16
298.align 16
299PSHUFFLE_BYTE_FLIP_MASK:
300	.octa 0x000102030405060708090a0b0c0d0e0f
301
302.section	.rodata.cst16.UPPER_WORD_MASK, "aM", @progbits, 16
303.align 16
304UPPER_WORD_MASK:
305	.octa 0xFFFFFFFF000000000000000000000000
306