1 /* SPDX-License-Identifier: GPL-2.0 */
2 /*
3 * Copyright (C) 2018 Google, Inc.
4 */
5
6 #include <linux/linkage.h>
7 #include <asm/assembler.h>
8
9 /*
10 * Design notes:
11 *
12 * 16 registers would be needed to hold the state matrix, but only 14 are
13 * available because 'sp' and 'pc' cannot be used. So we spill the elements
14 * (x8, x9) to the stack and swap them out with (x10, x11). This adds one
15 * 'ldrd' and one 'strd' instruction per round.
16 *
17 * All rotates are performed using the implicit rotate operand accepted by the
18 * 'add' and 'eor' instructions. This is faster than using explicit rotate
19 * instructions. To make this work, we allow the values in the second and last
20 * rows of the ChaCha state matrix (rows 'b' and 'd') to temporarily have the
21 * wrong rotation amount. The rotation amount is then fixed up just in time
22 * when the values are used. 'brot' is the number of bits the values in row 'b'
23 * need to be rotated right to arrive at the correct values, and 'drot'
24 * similarly for row 'd'. (brot, drot) start out as (0, 0) but we make it such
25 * that they end up as (25, 24) after every round.
26 */
27
28 // ChaCha state registers
29 X0 .req r0
30 X1 .req r1
31 X2 .req r2
32 X3 .req r3
33 X4 .req r4
34 X5 .req r5
35 X6 .req r6
36 X7 .req r7
37 X8_X10 .req r8 // shared by x8 and x10
38 X9_X11 .req r9 // shared by x9 and x11
39 X12 .req r10
40 X13 .req r11
41 X14 .req r12
42 X15 .req r14
43
44 .macro _le32_bswap_4x a, b, c, d, tmp
45 #ifdef __ARMEB__
46 rev_l \a, \tmp
47 rev_l \b, \tmp
48 rev_l \c, \tmp
49 rev_l \d, \tmp
50 #endif
51 .endm
52
53 .macro __ldrd a, b, src, offset
54 #if __LINUX_ARM_ARCH__ >= 6
55 ldrd \a, \b, [\src, #\offset]
56 #else
57 ldr \a, [\src, #\offset]
58 ldr \b, [\src, #\offset + 4]
59 #endif
60 .endm
61
62 .macro __strd a, b, dst, offset
63 #if __LINUX_ARM_ARCH__ >= 6
64 strd \a, \b, [\dst, #\offset]
65 #else
66 str \a, [\dst, #\offset]
67 str \b, [\dst, #\offset + 4]
68 #endif
69 .endm
70
71 .macro _halfround a1, b1, c1, d1, a2, b2, c2, d2
72
73 // a += b; d ^= a; d = rol(d, 16);
74 add \a1, \a1, \b1, ror #brot
75 add \a2, \a2, \b2, ror #brot
76 eor \d1, \a1, \d1, ror #drot
77 eor \d2, \a2, \d2, ror #drot
78 // drot == 32 - 16 == 16
79
80 // c += d; b ^= c; b = rol(b, 12);
81 add \c1, \c1, \d1, ror #16
82 add \c2, \c2, \d2, ror #16
83 eor \b1, \c1, \b1, ror #brot
84 eor \b2, \c2, \b2, ror #brot
85 // brot == 32 - 12 == 20
86
87 // a += b; d ^= a; d = rol(d, 8);
88 add \a1, \a1, \b1, ror #20
89 add \a2, \a2, \b2, ror #20
90 eor \d1, \a1, \d1, ror #16
91 eor \d2, \a2, \d2, ror #16
92 // drot == 32 - 8 == 24
93
94 // c += d; b ^= c; b = rol(b, 7);
95 add \c1, \c1, \d1, ror #24
96 add \c2, \c2, \d2, ror #24
97 eor \b1, \c1, \b1, ror #20
98 eor \b2, \c2, \b2, ror #20
99 // brot == 32 - 7 == 25
100 .endm
101
102 .macro _doubleround
103
104 // column round
105
106 // quarterrounds: (x0, x4, x8, x12) and (x1, x5, x9, x13)
107 _halfround X0, X4, X8_X10, X12, X1, X5, X9_X11, X13
108
109 // save (x8, x9); restore (x10, x11)
110 __strd X8_X10, X9_X11, sp, 0
111 __ldrd X8_X10, X9_X11, sp, 8
112
113 // quarterrounds: (x2, x6, x10, x14) and (x3, x7, x11, x15)
114 _halfround X2, X6, X8_X10, X14, X3, X7, X9_X11, X15
115
116 .set brot, 25
117 .set drot, 24
118
119 // diagonal round
120
121 // quarterrounds: (x0, x5, x10, x15) and (x1, x6, x11, x12)
122 _halfround X0, X5, X8_X10, X15, X1, X6, X9_X11, X12
123
124 // save (x10, x11); restore (x8, x9)
125 __strd X8_X10, X9_X11, sp, 8
126 __ldrd X8_X10, X9_X11, sp, 0
127
128 // quarterrounds: (x2, x7, x8, x13) and (x3, x4, x9, x14)
129 _halfround X2, X7, X8_X10, X13, X3, X4, X9_X11, X14
130 .endm
131
132 .macro _chacha_permute nrounds
133 .set brot, 0
134 .set drot, 0
135 .rept \nrounds / 2
136 _doubleround
137 .endr
138 .endm
139
140 .macro _chacha nrounds
141
142 .Lnext_block\@:
143 // Stack: unused0-unused1 x10-x11 x0-x15 OUT IN LEN
144 // Registers contain x0-x9,x12-x15.
145
146 // Do the core ChaCha permutation to update x0-x15.
147 _chacha_permute \nrounds
148
149 add sp, #8
150 // Stack: x10-x11 orig_x0-orig_x15 OUT IN LEN
151 // Registers contain x0-x9,x12-x15.
152 // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
153
154 // Free up some registers (r8-r12,r14) by pushing (x8-x9,x12-x15).
155 push {X8_X10, X9_X11, X12, X13, X14, X15}
156
157 // Load (OUT, IN, LEN).
158 ldr r14, [sp, #96]
159 ldr r12, [sp, #100]
160 ldr r11, [sp, #104]
161
162 orr r10, r14, r12
163
164 // Use slow path if fewer than 64 bytes remain.
165 cmp r11, #64
166 blt .Lxor_slowpath\@
167
168 // Use slow path if IN and/or OUT isn't 4-byte aligned. Needed even on
169 // ARMv6+, since ldmia and stmia (used below) still require alignment.
170 tst r10, #3
171 bne .Lxor_slowpath\@
172
173 // Fast path: XOR 64 bytes of aligned data.
174
175 // Stack: x8-x9 x12-x15 x10-x11 orig_x0-orig_x15 OUT IN LEN
176 // Registers: r0-r7 are x0-x7; r8-r11 are free; r12 is IN; r14 is OUT.
177 // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
178
179 // x0-x3
180 __ldrd r8, r9, sp, 32
181 __ldrd r10, r11, sp, 40
182 add X0, X0, r8
183 add X1, X1, r9
184 add X2, X2, r10
185 add X3, X3, r11
186 _le32_bswap_4x X0, X1, X2, X3, r8
187 ldmia r12!, {r8-r11}
188 eor X0, X0, r8
189 eor X1, X1, r9
190 eor X2, X2, r10
191 eor X3, X3, r11
192 stmia r14!, {X0-X3}
193
194 // x4-x7
195 __ldrd r8, r9, sp, 48
196 __ldrd r10, r11, sp, 56
197 add X4, r8, X4, ror #brot
198 add X5, r9, X5, ror #brot
199 ldmia r12!, {X0-X3}
200 add X6, r10, X6, ror #brot
201 add X7, r11, X7, ror #brot
202 _le32_bswap_4x X4, X5, X6, X7, r8
203 eor X4, X4, X0
204 eor X5, X5, X1
205 eor X6, X6, X2
206 eor X7, X7, X3
207 stmia r14!, {X4-X7}
208
209 // x8-x15
210 pop {r0-r7} // (x8-x9,x12-x15,x10-x11)
211 __ldrd r8, r9, sp, 32
212 __ldrd r10, r11, sp, 40
213 add r0, r0, r8 // x8
214 add r1, r1, r9 // x9
215 add r6, r6, r10 // x10
216 add r7, r7, r11 // x11
217 _le32_bswap_4x r0, r1, r6, r7, r8
218 ldmia r12!, {r8-r11}
219 eor r0, r0, r8 // x8
220 eor r1, r1, r9 // x9
221 eor r6, r6, r10 // x10
222 eor r7, r7, r11 // x11
223 stmia r14!, {r0,r1,r6,r7}
224 ldmia r12!, {r0,r1,r6,r7}
225 __ldrd r8, r9, sp, 48
226 __ldrd r10, r11, sp, 56
227 add r2, r8, r2, ror #drot // x12
228 add r3, r9, r3, ror #drot // x13
229 add r4, r10, r4, ror #drot // x14
230 add r5, r11, r5, ror #drot // x15
231 _le32_bswap_4x r2, r3, r4, r5, r9
232 ldr r9, [sp, #72] // load LEN
233 eor r2, r2, r0 // x12
234 eor r3, r3, r1 // x13
235 eor r4, r4, r6 // x14
236 eor r5, r5, r7 // x15
237 subs r9, #64 // decrement and check LEN
238 stmia r14!, {r2-r5}
239
240 beq .Ldone\@
241
242 .Lprepare_for_next_block\@:
243
244 // Stack: x0-x15 OUT IN LEN
245
246 // Increment block counter (x12)
247 add r8, #1
248
249 // Store updated (OUT, IN, LEN)
250 str r14, [sp, #64]
251 str r12, [sp, #68]
252 str r9, [sp, #72]
253
254 mov r14, sp
255
256 // Store updated block counter (x12)
257 str r8, [sp, #48]
258
259 sub sp, #16
260
261 // Reload state and do next block
262 ldmia r14!, {r0-r11} // load x0-x11
263 __strd r10, r11, sp, 8 // store x10-x11 before state
264 ldmia r14, {r10-r12,r14} // load x12-x15
265 b .Lnext_block\@
266
267 .Lxor_slowpath\@:
268 // Slow path: < 64 bytes remaining, or unaligned input or output buffer.
269 // We handle it by storing the 64 bytes of keystream to the stack, then
270 // XOR-ing the needed portion with the data.
271
272 // Allocate keystream buffer
273 sub sp, #64
274 mov r14, sp
275
276 // Stack: ks0-ks15 x8-x9 x12-x15 x10-x11 orig_x0-orig_x15 OUT IN LEN
277 // Registers: r0-r7 are x0-x7; r8-r11 are free; r12 is IN; r14 is &ks0.
278 // x4-x7 are rotated by 'brot'; x12-x15 are rotated by 'drot'.
279
280 // Save keystream for x0-x3
281 __ldrd r8, r9, sp, 96
282 __ldrd r10, r11, sp, 104
283 add X0, X0, r8
284 add X1, X1, r9
285 add X2, X2, r10
286 add X3, X3, r11
287 _le32_bswap_4x X0, X1, X2, X3, r8
288 stmia r14!, {X0-X3}
289
290 // Save keystream for x4-x7
291 __ldrd r8, r9, sp, 112
292 __ldrd r10, r11, sp, 120
293 add X4, r8, X4, ror #brot
294 add X5, r9, X5, ror #brot
295 add X6, r10, X6, ror #brot
296 add X7, r11, X7, ror #brot
297 _le32_bswap_4x X4, X5, X6, X7, r8
298 add r8, sp, #64
299 stmia r14!, {X4-X7}
300
301 // Save keystream for x8-x15
302 ldm r8, {r0-r7} // (x8-x9,x12-x15,x10-x11)
303 __ldrd r8, r9, sp, 128
304 __ldrd r10, r11, sp, 136
305 add r0, r0, r8 // x8
306 add r1, r1, r9 // x9
307 add r6, r6, r10 // x10
308 add r7, r7, r11 // x11
309 _le32_bswap_4x r0, r1, r6, r7, r8
310 stmia r14!, {r0,r1,r6,r7}
311 __ldrd r8, r9, sp, 144
312 __ldrd r10, r11, sp, 152
313 add r2, r8, r2, ror #drot // x12
314 add r3, r9, r3, ror #drot // x13
315 add r4, r10, r4, ror #drot // x14
316 add r5, r11, r5, ror #drot // x15
317 _le32_bswap_4x r2, r3, r4, r5, r9
318 stmia r14, {r2-r5}
319
320 // Stack: ks0-ks15 unused0-unused7 x0-x15 OUT IN LEN
321 // Registers: r8 is block counter, r12 is IN.
322
323 ldr r9, [sp, #168] // LEN
324 ldr r14, [sp, #160] // OUT
325 cmp r9, #64
326 mov r0, sp
327 movle r1, r9
328 movgt r1, #64
329 // r1 is number of bytes to XOR, in range [1, 64]
330
331 .if __LINUX_ARM_ARCH__ < 6
332 orr r2, r12, r14
333 tst r2, #3 // IN or OUT misaligned?
334 bne .Lxor_next_byte\@
335 .endif
336
337 // XOR a word at a time
338 .rept 16
339 subs r1, #4
340 blt .Lxor_words_done\@
341 ldr r2, [r12], #4
342 ldr r3, [r0], #4
343 eor r2, r2, r3
344 str r2, [r14], #4
345 .endr
346 b .Lxor_slowpath_done\@
347 .Lxor_words_done\@:
348 ands r1, r1, #3
349 beq .Lxor_slowpath_done\@
350
351 // XOR a byte at a time
352 .Lxor_next_byte\@:
353 ldrb r2, [r12], #1
354 ldrb r3, [r0], #1
355 eor r2, r2, r3
356 strb r2, [r14], #1
357 subs r1, #1
358 bne .Lxor_next_byte\@
359
360 .Lxor_slowpath_done\@:
361 subs r9, #64
362 add sp, #96
363 bgt .Lprepare_for_next_block\@
364
365 .Ldone\@:
366 .endm // _chacha
367
368 /*
369 * void chacha_doarm(u8 *dst, const u8 *src, unsigned int bytes,
370 * const u32 *state, int nrounds);
371 */
372 ENTRY(chacha_doarm)
373 cmp r2, #0 // len == 0?
374 reteq lr
375
376 ldr ip, [sp]
377 cmp ip, #12
378
379 push {r0-r2,r4-r11,lr}
380
381 // Push state x0-x15 onto stack.
382 // Also store an extra copy of x10-x11 just before the state.
383
384 add X12, r3, #48
385 ldm X12, {X12,X13,X14,X15}
386 push {X12,X13,X14,X15}
387 sub sp, sp, #64
388
389 __ldrd X8_X10, X9_X11, r3, 40
390 __strd X8_X10, X9_X11, sp, 8
391 __strd X8_X10, X9_X11, sp, 56
392 ldm r3, {X0-X9_X11}
393 __strd X0, X1, sp, 16
394 __strd X2, X3, sp, 24
395 __strd X4, X5, sp, 32
396 __strd X6, X7, sp, 40
397 __strd X8_X10, X9_X11, sp, 48
398
399 beq 1f
400 _chacha 20
401
402 0: add sp, #76
403 pop {r4-r11, pc}
404
405 1: _chacha 12
406 b 0b
407 ENDPROC(chacha_doarm)
408
409 /*
410 * void hchacha_block_arm(const u32 state[16], u32 out[8], int nrounds);
411 */
412 ENTRY(hchacha_block_arm)
413 push {r1,r4-r11,lr}
414
415 cmp r2, #12 // ChaCha12 ?
416
417 mov r14, r0
418 ldmia r14!, {r0-r11} // load x0-x11
419 push {r10-r11} // store x10-x11 to stack
420 ldm r14, {r10-r12,r14} // load x12-x15
421 sub sp, #8
422
423 beq 1f
424 _chacha_permute 20
425
426 // Skip over (unused0-unused1, x10-x11)
427 0: add sp, #16
428
429 // Fix up rotations of x12-x15
430 ror X12, X12, #drot
431 ror X13, X13, #drot
432 pop {r4} // load 'out'
433 ror X14, X14, #drot
434 ror X15, X15, #drot
435
436 // Store (x0-x3,x12-x15) to 'out'
437 stm r4, {X0,X1,X2,X3,X12,X13,X14,X15}
438
439 pop {r4-r11,pc}
440
441 1: _chacha_permute 12
442 b 0b
443 ENDPROC(hchacha_block_arm)
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.