xref: /linux/arch/x86/crypto/twofish-x86_64-asm_64.S (revision 0d3b051adbb72ed81956447d0d1e54d5943ee6f5)
1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/***************************************************************************
3*   Copyright (C) 2006 by Joachim Fritschi, <jfritschi@freenet.de>        *
4*                                                                         *
5***************************************************************************/
6
7.file "twofish-x86_64-asm.S"
8.text
9
10#include <linux/linkage.h>
11#include <asm/asm-offsets.h>
12
13#define a_offset	0
14#define b_offset	4
15#define c_offset	8
16#define d_offset	12
17
18/* Structure of the crypto context struct*/
19
20#define s0	0	/* S0 Array 256 Words each */
21#define s1	1024	/* S1 Array */
22#define s2	2048	/* S2 Array */
23#define s3	3072	/* S3 Array */
24#define w	4096	/* 8 whitening keys (word) */
25#define k	4128	/* key 1-32 ( word ) */
26
27/* define a few register aliases to allow macro substitution */
28
29#define R0     %rax
30#define R0D    %eax
31#define R0B    %al
32#define R0H    %ah
33
34#define R1     %rbx
35#define R1D    %ebx
36#define R1B    %bl
37#define R1H    %bh
38
39#define R2     %rcx
40#define R2D    %ecx
41#define R2B    %cl
42#define R2H    %ch
43
44#define R3     %rdx
45#define R3D    %edx
46#define R3B    %dl
47#define R3H    %dh
48
49
50/* performs input whitening */
51#define input_whitening(src,context,offset)\
52	xor	w+offset(context),	src;
53
54/* performs input whitening */
55#define output_whitening(src,context,offset)\
56	xor	w+16+offset(context),	src;
57
58
59/*
60 * a input register containing a (rotated 16)
61 * b input register containing b
62 * c input register containing c
63 * d input register containing d (already rol $1)
64 * operations on a and b are interleaved to increase performance
65 */
66#define encrypt_round(a,b,c,d,round)\
67	movzx	b ## B,		%edi;\
68	mov	s1(%r11,%rdi,4),%r8d;\
69	movzx	a ## B,		%edi;\
70	mov	s2(%r11,%rdi,4),%r9d;\
71	movzx	b ## H,		%edi;\
72	ror	$16,		b ## D;\
73	xor	s2(%r11,%rdi,4),%r8d;\
74	movzx	a ## H,		%edi;\
75	ror	$16,		a ## D;\
76	xor	s3(%r11,%rdi,4),%r9d;\
77	movzx	b ## B,		%edi;\
78	xor	s3(%r11,%rdi,4),%r8d;\
79	movzx	a ## B,		%edi;\
80	xor	(%r11,%rdi,4),	%r9d;\
81	movzx	b ## H,		%edi;\
82	ror	$15,		b ## D;\
83	xor	(%r11,%rdi,4),	%r8d;\
84	movzx	a ## H,		%edi;\
85	xor	s1(%r11,%rdi,4),%r9d;\
86	add	%r8d,		%r9d;\
87	add	%r9d,		%r8d;\
88	add	k+round(%r11),	%r9d;\
89	xor	%r9d,		c ## D;\
90	rol	$15,		c ## D;\
91	add	k+4+round(%r11),%r8d;\
92	xor	%r8d,		d ## D;
93
94/*
95 * a input register containing a(rotated 16)
96 * b input register containing b
97 * c input register containing c
98 * d input register containing d (already rol $1)
99 * operations on a and b are interleaved to increase performance
100 * during the round a and b are prepared for the output whitening
101 */
102#define encrypt_last_round(a,b,c,d,round)\
103	mov	b ## D,		%r10d;\
104	shl	$32,		%r10;\
105	movzx	b ## B,		%edi;\
106	mov	s1(%r11,%rdi,4),%r8d;\
107	movzx	a ## B,		%edi;\
108	mov	s2(%r11,%rdi,4),%r9d;\
109	movzx	b ## H,		%edi;\
110	ror	$16,		b ## D;\
111	xor	s2(%r11,%rdi,4),%r8d;\
112	movzx	a ## H,		%edi;\
113	ror	$16,		a ## D;\
114	xor	s3(%r11,%rdi,4),%r9d;\
115	movzx	b ## B,		%edi;\
116	xor	s3(%r11,%rdi,4),%r8d;\
117	movzx	a ## B,		%edi;\
118	xor	(%r11,%rdi,4),	%r9d;\
119	xor	a,		%r10;\
120	movzx	b ## H,		%edi;\
121	xor	(%r11,%rdi,4),	%r8d;\
122	movzx	a ## H,		%edi;\
123	xor	s1(%r11,%rdi,4),%r9d;\
124	add	%r8d,		%r9d;\
125	add	%r9d,		%r8d;\
126	add	k+round(%r11),	%r9d;\
127	xor	%r9d,		c ## D;\
128	ror	$1,		c ## D;\
129	add	k+4+round(%r11),%r8d;\
130	xor	%r8d,		d ## D
131
132/*
133 * a input register containing a
134 * b input register containing b (rotated 16)
135 * c input register containing c (already rol $1)
136 * d input register containing d
137 * operations on a and b are interleaved to increase performance
138 */
139#define decrypt_round(a,b,c,d,round)\
140	movzx	a ## B,		%edi;\
141	mov	(%r11,%rdi,4),	%r9d;\
142	movzx	b ## B,		%edi;\
143	mov	s3(%r11,%rdi,4),%r8d;\
144	movzx	a ## H,		%edi;\
145	ror	$16,		a ## D;\
146	xor	s1(%r11,%rdi,4),%r9d;\
147	movzx	b ## H,		%edi;\
148	ror	$16,		b ## D;\
149	xor	(%r11,%rdi,4),	%r8d;\
150	movzx	a ## B,		%edi;\
151	xor	s2(%r11,%rdi,4),%r9d;\
152	movzx	b ## B,		%edi;\
153	xor	s1(%r11,%rdi,4),%r8d;\
154	movzx	a ## H,		%edi;\
155	ror	$15,		a ## D;\
156	xor	s3(%r11,%rdi,4),%r9d;\
157	movzx	b ## H,		%edi;\
158	xor	s2(%r11,%rdi,4),%r8d;\
159	add	%r8d,		%r9d;\
160	add	%r9d,		%r8d;\
161	add	k+round(%r11),	%r9d;\
162	xor	%r9d,		c ## D;\
163	add	k+4+round(%r11),%r8d;\
164	xor	%r8d,		d ## D;\
165	rol	$15,		d ## D;
166
167/*
168 * a input register containing a
169 * b input register containing b
170 * c input register containing c (already rol $1)
171 * d input register containing d
172 * operations on a and b are interleaved to increase performance
173 * during the round a and b are prepared for the output whitening
174 */
175#define decrypt_last_round(a,b,c,d,round)\
176	movzx	a ## B,		%edi;\
177	mov	(%r11,%rdi,4),	%r9d;\
178	movzx	b ## B,		%edi;\
179	mov	s3(%r11,%rdi,4),%r8d;\
180	movzx	b ## H,		%edi;\
181	ror	$16,		b ## D;\
182	xor	(%r11,%rdi,4),	%r8d;\
183	movzx	a ## H,		%edi;\
184	mov	b ## D,		%r10d;\
185	shl	$32,		%r10;\
186	xor	a,		%r10;\
187	ror	$16,		a ## D;\
188	xor	s1(%r11,%rdi,4),%r9d;\
189	movzx	b ## B,		%edi;\
190	xor	s1(%r11,%rdi,4),%r8d;\
191	movzx	a ## B,		%edi;\
192	xor	s2(%r11,%rdi,4),%r9d;\
193	movzx	b ## H,		%edi;\
194	xor	s2(%r11,%rdi,4),%r8d;\
195	movzx	a ## H,		%edi;\
196	xor	s3(%r11,%rdi,4),%r9d;\
197	add	%r8d,		%r9d;\
198	add	%r9d,		%r8d;\
199	add	k+round(%r11),	%r9d;\
200	xor	%r9d,		c ## D;\
201	add	k+4+round(%r11),%r8d;\
202	xor	%r8d,		d ## D;\
203	ror	$1,		d ## D;
204
205SYM_FUNC_START(twofish_enc_blk)
206	pushq    R1
207
208	/* %rdi contains the ctx address */
209	/* %rsi contains the output address */
210	/* %rdx contains the input address */
211	/* ctx address is moved to free one non-rex register
212	as target for the 8bit high operations */
213	mov	%rdi,		%r11
214
215	movq	(R3),	R1
216	movq	8(R3),	R3
217	input_whitening(R1,%r11,a_offset)
218	input_whitening(R3,%r11,c_offset)
219	mov	R1D,	R0D
220	rol	$16,	R0D
221	shr	$32,	R1
222	mov	R3D,	R2D
223	shr	$32,	R3
224	rol	$1,	R3D
225
226	encrypt_round(R0,R1,R2,R3,0);
227	encrypt_round(R2,R3,R0,R1,8);
228	encrypt_round(R0,R1,R2,R3,2*8);
229	encrypt_round(R2,R3,R0,R1,3*8);
230	encrypt_round(R0,R1,R2,R3,4*8);
231	encrypt_round(R2,R3,R0,R1,5*8);
232	encrypt_round(R0,R1,R2,R3,6*8);
233	encrypt_round(R2,R3,R0,R1,7*8);
234	encrypt_round(R0,R1,R2,R3,8*8);
235	encrypt_round(R2,R3,R0,R1,9*8);
236	encrypt_round(R0,R1,R2,R3,10*8);
237	encrypt_round(R2,R3,R0,R1,11*8);
238	encrypt_round(R0,R1,R2,R3,12*8);
239	encrypt_round(R2,R3,R0,R1,13*8);
240	encrypt_round(R0,R1,R2,R3,14*8);
241	encrypt_last_round(R2,R3,R0,R1,15*8);
242
243
244	output_whitening(%r10,%r11,a_offset)
245	movq	%r10,	(%rsi)
246
247	shl	$32,	R1
248	xor	R0,	R1
249
250	output_whitening(R1,%r11,c_offset)
251	movq	R1,	8(%rsi)
252
253	popq	R1
254	movl	$1,%eax
255	ret
256SYM_FUNC_END(twofish_enc_blk)
257
258SYM_FUNC_START(twofish_dec_blk)
259	pushq    R1
260
261	/* %rdi contains the ctx address */
262	/* %rsi contains the output address */
263	/* %rdx contains the input address */
264	/* ctx address is moved to free one non-rex register
265	as target for the 8bit high operations */
266	mov	%rdi,		%r11
267
268	movq	(R3),	R1
269	movq	8(R3),	R3
270	output_whitening(R1,%r11,a_offset)
271	output_whitening(R3,%r11,c_offset)
272	mov	R1D,	R0D
273	shr	$32,	R1
274	rol	$16,	R1D
275	mov	R3D,	R2D
276	shr	$32,	R3
277	rol	$1,	R2D
278
279	decrypt_round(R0,R1,R2,R3,15*8);
280	decrypt_round(R2,R3,R0,R1,14*8);
281	decrypt_round(R0,R1,R2,R3,13*8);
282	decrypt_round(R2,R3,R0,R1,12*8);
283	decrypt_round(R0,R1,R2,R3,11*8);
284	decrypt_round(R2,R3,R0,R1,10*8);
285	decrypt_round(R0,R1,R2,R3,9*8);
286	decrypt_round(R2,R3,R0,R1,8*8);
287	decrypt_round(R0,R1,R2,R3,7*8);
288	decrypt_round(R2,R3,R0,R1,6*8);
289	decrypt_round(R0,R1,R2,R3,5*8);
290	decrypt_round(R2,R3,R0,R1,4*8);
291	decrypt_round(R0,R1,R2,R3,3*8);
292	decrypt_round(R2,R3,R0,R1,2*8);
293	decrypt_round(R0,R1,R2,R3,1*8);
294	decrypt_last_round(R2,R3,R0,R1,0);
295
296	input_whitening(%r10,%r11,a_offset)
297	movq	%r10,	(%rsi)
298
299	shl	$32,	R1
300	xor	R0,	R1
301
302	input_whitening(R1,%r11,c_offset)
303	movq	R1,	8(%rsi)
304
305	popq	R1
306	movl	$1,%eax
307	ret
308SYM_FUNC_END(twofish_dec_blk)
309