PolarSSL v1.3.9
aesni.c
Go to the documentation of this file.
1 /*
2  * AES-NI support functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 /*
27  * [AES-WP] http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set
28  * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
29  */
30 
31 #if !defined(POLARSSL_CONFIG_FILE)
32 #include "polarssl/config.h"
33 #else
34 #include POLARSSL_CONFIG_FILE
35 #endif
36 
37 #if defined(POLARSSL_AESNI_C)
38 
39 #include "polarssl/aesni.h"
40 #include <stdio.h>
41 
42 #if defined(POLARSSL_HAVE_X86_64)
43 
44 /*
45  * AES-NI support detection routine
46  */
47 int aesni_supports( unsigned int what )
48 {
49  static int done = 0;
50  static unsigned int c = 0;
51 
52  if( ! done )
53  {
54  asm( "movl $1, %%eax \n\t"
55  "cpuid \n\t"
56  : "=c" (c)
57  :
58  : "eax", "ebx", "edx" );
59  done = 1;
60  }
61 
62  return( ( c & what ) != 0 );
63 }
64 
65 /*
66  * Binutils needs to be at least 2.19 to support AES-NI instructions.
67  * Unfortunately, a lot of users have a lower version now (2014-04).
68  * Emit bytecode directly in order to support "old" version of gas.
69  *
70  * Opcodes from the Intel architecture reference manual, vol. 3.
71  * We always use registers, so we don't need prefixes for memory operands.
72  * Operand macros are in gas order (src, dst) as opposed to Intel order
73  * (dst, src) in order to blend better into the surrounding assembly code.
74  */
75 #define AESDEC ".byte 0x66,0x0F,0x38,0xDE,"
76 #define AESDECLAST ".byte 0x66,0x0F,0x38,0xDF,"
77 #define AESENC ".byte 0x66,0x0F,0x38,0xDC,"
78 #define AESENCLAST ".byte 0x66,0x0F,0x38,0xDD,"
79 #define AESIMC ".byte 0x66,0x0F,0x38,0xDB,"
80 #define AESKEYGENA ".byte 0x66,0x0F,0x3A,0xDF,"
81 #define PCLMULQDQ ".byte 0x66,0x0F,0x3A,0x44,"
82 
83 #define xmm0_xmm0 "0xC0"
84 #define xmm0_xmm1 "0xC8"
85 #define xmm0_xmm2 "0xD0"
86 #define xmm0_xmm3 "0xD8"
87 #define xmm0_xmm4 "0xE0"
88 #define xmm1_xmm0 "0xC1"
89 #define xmm1_xmm2 "0xD1"
90 
91 /*
92  * AES-NI AES-ECB block en(de)cryption
93  */
94 int aesni_crypt_ecb( aes_context *ctx,
95  int mode,
96  const unsigned char input[16],
97  unsigned char output[16] )
98 {
99  asm( "movdqu (%3), %%xmm0 \n\t" // load input
100  "movdqu (%1), %%xmm1 \n\t" // load round key 0
101  "pxor %%xmm1, %%xmm0 \n\t" // round 0
102 #ifdef __ILP32__
103  "add $16, %1 \n\t" // point to next round key
104 #else
105  "addq $16, %1 \n\t" // point to next round key
106 #endif
107  "subl $1, %0 \n\t" // normal rounds = nr - 1
108  "test %2, %2 \n\t" // mode?
109  "jz 2f \n\t" // 0 = decrypt
110 
111  "1: \n\t" // encryption loop
112  "movdqu (%1), %%xmm1 \n\t" // load round key
113  AESENC xmm1_xmm0 "\n\t" // do round
114 #ifdef __ILP32__
115  "add $16, %1 \n\t" // point to next round key
116 #else
117  "addq $16, %1 \n\t" // point to next round key
118 #endif
119  "subl $1, %0 \n\t" // loop
120  "jnz 1b \n\t"
121  "movdqu (%1), %%xmm1 \n\t" // load round key
122  AESENCLAST xmm1_xmm0 "\n\t" // last round
123  "jmp 3f \n\t"
124 
125  "2: \n\t" // decryption loop
126  "movdqu (%1), %%xmm1 \n\t"
127  AESDEC xmm1_xmm0 "\n\t" // do round
128 #ifdef __ILP32__
129  "add $16, %1 \n\t"
130 #else
131  "addq $16, %1 \n\t"
132 #endif
133  "subl $1, %0 \n\t"
134  "jnz 2b \n\t"
135  "movdqu (%1), %%xmm1 \n\t" // load round key
136  AESDECLAST xmm1_xmm0 "\n\t" // last round
137 
138  "3: \n\t"
139  "movdqu %%xmm0, (%4) \n\t" // export output
140  :
141  : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
142  : "memory", "cc", "xmm0", "xmm1" );
143 
144 
145  return( 0 );
146 }
147 
148 /*
149  * GCM multiplication: c = a times b in GF(2^128)
150  * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
151  */
152 void aesni_gcm_mult( unsigned char c[16],
153  const unsigned char a[16],
154  const unsigned char b[16] )
155 {
156  unsigned char aa[16], bb[16], cc[16];
157  size_t i;
158 
159  /* The inputs are in big-endian order, so byte-reverse them */
160  for( i = 0; i < 16; i++ )
161  {
162  aa[i] = a[15 - i];
163  bb[i] = b[15 - i];
164  }
165 
166  asm( "movdqu (%0), %%xmm0 \n\t" // a1:a0
167  "movdqu (%1), %%xmm1 \n\t" // b1:b0
168 
169  /*
170  * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
171  * using [CLMUL-WP] algorithm 1 (p. 13).
172  */
173  "movdqa %%xmm1, %%xmm2 \n\t" // copy of b1:b0
174  "movdqa %%xmm1, %%xmm3 \n\t" // same
175  "movdqa %%xmm1, %%xmm4 \n\t" // same
176  PCLMULQDQ xmm0_xmm1 ",0x00 \n\t" // a0*b0 = c1:c0
177  PCLMULQDQ xmm0_xmm2 ",0x11 \n\t" // a1*b1 = d1:d0
178  PCLMULQDQ xmm0_xmm3 ",0x10 \n\t" // a0*b1 = e1:e0
179  PCLMULQDQ xmm0_xmm4 ",0x01 \n\t" // a1*b0 = f1:f0
180  "pxor %%xmm3, %%xmm4 \n\t" // e1+f1:e0+f0
181  "movdqa %%xmm4, %%xmm3 \n\t" // same
182  "psrldq $8, %%xmm4 \n\t" // 0:e1+f1
183  "pslldq $8, %%xmm3 \n\t" // e0+f0:0
184  "pxor %%xmm4, %%xmm2 \n\t" // d1:d0+e1+f1
185  "pxor %%xmm3, %%xmm1 \n\t" // c1+e0+f1:c0
186 
187  /*
188  * Now shift the result one bit to the left,
189  * taking advantage of [CLMUL-WP] eq 27 (p. 20)
190  */
191  "movdqa %%xmm1, %%xmm3 \n\t" // r1:r0
192  "movdqa %%xmm2, %%xmm4 \n\t" // r3:r2
193  "psllq $1, %%xmm1 \n\t" // r1<<1:r0<<1
194  "psllq $1, %%xmm2 \n\t" // r3<<1:r2<<1
195  "psrlq $63, %%xmm3 \n\t" // r1>>63:r0>>63
196  "psrlq $63, %%xmm4 \n\t" // r3>>63:r2>>63
197  "movdqa %%xmm3, %%xmm5 \n\t" // r1>>63:r0>>63
198  "pslldq $8, %%xmm3 \n\t" // r0>>63:0
199  "pslldq $8, %%xmm4 \n\t" // r2>>63:0
200  "psrldq $8, %%xmm5 \n\t" // 0:r1>>63
201  "por %%xmm3, %%xmm1 \n\t" // r1<<1|r0>>63:r0<<1
202  "por %%xmm4, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1
203  "por %%xmm5, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
204 
205  /*
206  * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
207  * using [CLMUL-WP] algorithm 5 (p. 20).
208  * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
209  */
210  /* Step 2 (1) */
211  "movdqa %%xmm1, %%xmm3 \n\t" // x1:x0
212  "movdqa %%xmm1, %%xmm4 \n\t" // same
213  "movdqa %%xmm1, %%xmm5 \n\t" // same
214  "psllq $63, %%xmm3 \n\t" // x1<<63:x0<<63 = stuff:a
215  "psllq $62, %%xmm4 \n\t" // x1<<62:x0<<62 = stuff:b
216  "psllq $57, %%xmm5 \n\t" // x1<<57:x0<<57 = stuff:c
217 
218  /* Step 2 (2) */
219  "pxor %%xmm4, %%xmm3 \n\t" // stuff:a+b
220  "pxor %%xmm5, %%xmm3 \n\t" // stuff:a+b+c
221  "pslldq $8, %%xmm3 \n\t" // a+b+c:0
222  "pxor %%xmm3, %%xmm1 \n\t" // x1+a+b+c:x0 = d:x0
223 
224  /* Steps 3 and 4 */
225  "movdqa %%xmm1,%%xmm0 \n\t" // d:x0
226  "movdqa %%xmm1,%%xmm4 \n\t" // same
227  "movdqa %%xmm1,%%xmm5 \n\t" // same
228  "psrlq $1, %%xmm0 \n\t" // e1:x0>>1 = e1:e0'
229  "psrlq $2, %%xmm4 \n\t" // f1:x0>>2 = f1:f0'
230  "psrlq $7, %%xmm5 \n\t" // g1:x0>>7 = g1:g0'
231  "pxor %%xmm4, %%xmm0 \n\t" // e1+f1:e0'+f0'
232  "pxor %%xmm5, %%xmm0 \n\t" // e1+f1+g1:e0'+f0'+g0'
233  // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
234  // bits carried from d. Now get those\t bits back in.
235  "movdqa %%xmm1,%%xmm3 \n\t" // d:x0
236  "movdqa %%xmm1,%%xmm4 \n\t" // same
237  "movdqa %%xmm1,%%xmm5 \n\t" // same
238  "psllq $63, %%xmm3 \n\t" // d<<63:stuff
239  "psllq $62, %%xmm4 \n\t" // d<<62:stuff
240  "psllq $57, %%xmm5 \n\t" // d<<57:stuff
241  "pxor %%xmm4, %%xmm3 \n\t" // d<<63+d<<62:stuff
242  "pxor %%xmm5, %%xmm3 \n\t" // missing bits of d:stuff
243  "psrldq $8, %%xmm3 \n\t" // 0:missing bits of d
244  "pxor %%xmm3, %%xmm0 \n\t" // e1+f1+g1:e0+f0+g0
245  "pxor %%xmm1, %%xmm0 \n\t" // h1:h0
246  "pxor %%xmm2, %%xmm0 \n\t" // x3+h1:x2+h0
247 
248  "movdqu %%xmm0, (%2) \n\t" // done
249  :
250  : "r" (aa), "r" (bb), "r" (cc)
251  : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5" );
252 
253  /* Now byte-reverse the outputs */
254  for( i = 0; i < 16; i++ )
255  c[i] = cc[15 - i];
256 
257  return;
258 }
259 
260 /*
261  * Compute decryption round keys from encryption round keys
262  */
263 void aesni_inverse_key( unsigned char *invkey,
264  const unsigned char *fwdkey, int nr )
265 {
266  unsigned char *ik = invkey;
267  const unsigned char *fk = fwdkey + 16 * nr;
268 
269  memcpy( ik, fk, 16 );
270 
271  for( fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16 )
272  asm( "movdqu (%0), %%xmm0 \n\t"
273  AESIMC xmm0_xmm0 "\n\t"
274  "movdqu %%xmm0, (%1) \n\t"
275  :
276  : "r" (fk), "r" (ik)
277  : "memory", "xmm0" );
278 
279  memcpy( ik, fk, 16 );
280 }
281 
282 /*
283  * Key expansion, 128-bit case
284  */
285 static void aesni_setkey_enc_128( unsigned char *rk,
286  const unsigned char *key )
287 {
288  asm( "movdqu (%1), %%xmm0 \n\t" // copy the original key
289  "movdqu %%xmm0, (%0) \n\t" // as round key 0
290  "jmp 2f \n\t" // skip auxiliary routine
291 
292  /*
293  * Finish generating the next round key.
294  *
295  * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
296  * with X = rot( sub( r3 ) ) ^ RCON.
297  *
298  * On exit, xmm0 is r7:r6:r5:r4
299  * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
300  * and those are written to the round key buffer.
301  */
302  "1: \n\t"
303  "pshufd $0xff, %%xmm1, %%xmm1 \n\t" // X:X:X:X
304  "pxor %%xmm0, %%xmm1 \n\t" // X+r3:X+r2:X+r1:r4
305  "pslldq $4, %%xmm0 \n\t" // r2:r1:r0:0
306  "pxor %%xmm0, %%xmm1 \n\t" // X+r3+r2:X+r2+r1:r5:r4
307  "pslldq $4, %%xmm0 \n\t" // etc
308  "pxor %%xmm0, %%xmm1 \n\t"
309  "pslldq $4, %%xmm0 \n\t"
310  "pxor %%xmm1, %%xmm0 \n\t" // update xmm0 for next time!
311  "add $16, %0 \n\t" // point to next round key
312  "movdqu %%xmm0, (%0) \n\t" // write it
313  "ret \n\t"
314 
315  /* Main "loop" */
316  "2: \n\t"
317  AESKEYGENA xmm0_xmm1 ",0x01 \n\tcall 1b \n\t"
318  AESKEYGENA xmm0_xmm1 ",0x02 \n\tcall 1b \n\t"
319  AESKEYGENA xmm0_xmm1 ",0x04 \n\tcall 1b \n\t"
320  AESKEYGENA xmm0_xmm1 ",0x08 \n\tcall 1b \n\t"
321  AESKEYGENA xmm0_xmm1 ",0x10 \n\tcall 1b \n\t"
322  AESKEYGENA xmm0_xmm1 ",0x20 \n\tcall 1b \n\t"
323  AESKEYGENA xmm0_xmm1 ",0x40 \n\tcall 1b \n\t"
324  AESKEYGENA xmm0_xmm1 ",0x80 \n\tcall 1b \n\t"
325  AESKEYGENA xmm0_xmm1 ",0x1B \n\tcall 1b \n\t"
326  AESKEYGENA xmm0_xmm1 ",0x36 \n\tcall 1b \n\t"
327  :
328  : "r" (rk), "r" (key)
329  : "memory", "cc", "0" );
330 }
331 
332 /*
333  * Key expansion, 192-bit case
334  */
335 static void aesni_setkey_enc_192( unsigned char *rk,
336  const unsigned char *key )
337 {
338  asm( "movdqu (%1), %%xmm0 \n\t" // copy original round key
339  "movdqu %%xmm0, (%0) \n\t"
340  "add $16, %0 \n\t"
341  "movq 16(%1), %%xmm1 \n\t"
342  "movq %%xmm1, (%0) \n\t"
343  "add $8, %0 \n\t"
344  "jmp 2f \n\t" // skip auxiliary routine
345 
346  /*
347  * Finish generating the next 6 quarter-keys.
348  *
349  * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
350  * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
351  *
352  * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
353  * and those are written to the round key buffer.
354  */
355  "1: \n\t"
356  "pshufd $0x55, %%xmm2, %%xmm2 \n\t" // X:X:X:X
357  "pxor %%xmm0, %%xmm2 \n\t" // X+r3:X+r2:X+r1:r4
358  "pslldq $4, %%xmm0 \n\t" // etc
359  "pxor %%xmm0, %%xmm2 \n\t"
360  "pslldq $4, %%xmm0 \n\t"
361  "pxor %%xmm0, %%xmm2 \n\t"
362  "pslldq $4, %%xmm0 \n\t"
363  "pxor %%xmm2, %%xmm0 \n\t" // update xmm0 = r9:r8:r7:r6
364  "movdqu %%xmm0, (%0) \n\t"
365  "add $16, %0 \n\t"
366  "pshufd $0xff, %%xmm0, %%xmm2 \n\t" // r9:r9:r9:r9
367  "pxor %%xmm1, %%xmm2 \n\t" // stuff:stuff:r9+r5:r10
368  "pslldq $4, %%xmm1 \n\t" // r2:r1:r0:0
369  "pxor %%xmm2, %%xmm1 \n\t" // xmm1 = stuff:stuff:r11:r10
370  "movq %%xmm1, (%0) \n\t"
371  "add $8, %0 \n\t"
372  "ret \n\t"
373 
374  "2: \n\t"
375  AESKEYGENA xmm1_xmm2 ",0x01 \n\tcall 1b \n\t"
376  AESKEYGENA xmm1_xmm2 ",0x02 \n\tcall 1b \n\t"
377  AESKEYGENA xmm1_xmm2 ",0x04 \n\tcall 1b \n\t"
378  AESKEYGENA xmm1_xmm2 ",0x08 \n\tcall 1b \n\t"
379  AESKEYGENA xmm1_xmm2 ",0x10 \n\tcall 1b \n\t"
380  AESKEYGENA xmm1_xmm2 ",0x20 \n\tcall 1b \n\t"
381  AESKEYGENA xmm1_xmm2 ",0x40 \n\tcall 1b \n\t"
382  AESKEYGENA xmm1_xmm2 ",0x80 \n\tcall 1b \n\t"
383 
384  :
385  : "r" (rk), "r" (key)
386  : "memory", "cc", "0" );
387 }
388 
389 /*
390  * Key expansion, 256-bit case
391  */
392 static void aesni_setkey_enc_256( unsigned char *rk,
393  const unsigned char *key )
394 {
395  asm( "movdqu (%1), %%xmm0 \n\t"
396  "movdqu %%xmm0, (%0) \n\t"
397  "add $16, %0 \n\t"
398  "movdqu 16(%1), %%xmm1 \n\t"
399  "movdqu %%xmm1, (%0) \n\t"
400  "jmp 2f \n\t" // skip auxiliary routine
401 
402  /*
403  * Finish generating the next two round keys.
404  *
405  * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
406  * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
407  *
408  * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
409  * and those have been written to the output buffer.
410  */
411  "1: \n\t"
412  "pshufd $0xff, %%xmm2, %%xmm2 \n\t"
413  "pxor %%xmm0, %%xmm2 \n\t"
414  "pslldq $4, %%xmm0 \n\t"
415  "pxor %%xmm0, %%xmm2 \n\t"
416  "pslldq $4, %%xmm0 \n\t"
417  "pxor %%xmm0, %%xmm2 \n\t"
418  "pslldq $4, %%xmm0 \n\t"
419  "pxor %%xmm2, %%xmm0 \n\t"
420  "add $16, %0 \n\t"
421  "movdqu %%xmm0, (%0) \n\t"
422 
423  /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
424  * and proceed to generate next round key from there */
425  AESKEYGENA xmm0_xmm2 ",0x00 \n\t"
426  "pshufd $0xaa, %%xmm2, %%xmm2 \n\t"
427  "pxor %%xmm1, %%xmm2 \n\t"
428  "pslldq $4, %%xmm1 \n\t"
429  "pxor %%xmm1, %%xmm2 \n\t"
430  "pslldq $4, %%xmm1 \n\t"
431  "pxor %%xmm1, %%xmm2 \n\t"
432  "pslldq $4, %%xmm1 \n\t"
433  "pxor %%xmm2, %%xmm1 \n\t"
434  "add $16, %0 \n\t"
435  "movdqu %%xmm1, (%0) \n\t"
436  "ret \n\t"
437 
438  /*
439  * Main "loop" - Generating one more key than necessary,
440  * see definition of aes_context.buf
441  */
442  "2: \n\t"
443  AESKEYGENA xmm1_xmm2 ",0x01 \n\tcall 1b \n\t"
444  AESKEYGENA xmm1_xmm2 ",0x02 \n\tcall 1b \n\t"
445  AESKEYGENA xmm1_xmm2 ",0x04 \n\tcall 1b \n\t"
446  AESKEYGENA xmm1_xmm2 ",0x08 \n\tcall 1b \n\t"
447  AESKEYGENA xmm1_xmm2 ",0x10 \n\tcall 1b \n\t"
448  AESKEYGENA xmm1_xmm2 ",0x20 \n\tcall 1b \n\t"
449  AESKEYGENA xmm1_xmm2 ",0x40 \n\tcall 1b \n\t"
450  :
451  : "r" (rk), "r" (key)
452  : "memory", "cc", "0" );
453 }
454 
455 /*
456  * Key expansion, wrapper
457  */
458 int aesni_setkey_enc( unsigned char *rk,
459  const unsigned char *key,
460  size_t bits )
461 {
462  switch( bits )
463  {
464  case 128: aesni_setkey_enc_128( rk, key ); break;
465  case 192: aesni_setkey_enc_192( rk, key ); break;
466  case 256: aesni_setkey_enc_256( rk, key ); break;
467  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
468  }
469 
470  return( 0 );
471 }
472 
473 #endif /* POLARSSL_HAVE_X86_64 */
474 
475 #endif /* POLARSSL_AESNI_C */