PolarSSL v1.3.8
aesni.c
Go to the documentation of this file.
1 /*
2  * AES-NI support functions
3  *
4  * Copyright (C) 2006-2014, Brainspark B.V.
5  *
6  * This file is part of PolarSSL (http://www.polarssl.org)
7  * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
8  *
9  * All rights reserved.
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License as published by
13  * the Free Software Foundation; either version 2 of the License, or
14  * (at your option) any later version.
15  *
16  * This program is distributed in the hope that it will be useful,
17  * but WITHOUT ANY WARRANTY; without even the implied warranty of
18  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19  * GNU General Public License for more details.
20  *
21  * You should have received a copy of the GNU General Public License along
22  * with this program; if not, write to the Free Software Foundation, Inc.,
23  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24  */
25 
26 /*
27  * [AES-WP] http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-aes-instructions-set
28  * [CLMUL-WP] http://software.intel.com/en-us/articles/intel-carry-less-multiplication-instruction-and-its-usage-for-computing-the-gcm-mode/
29  */
30 
31 #if !defined(POLARSSL_CONFIG_FILE)
32 #include "polarssl/config.h"
33 #else
34 #include POLARSSL_CONFIG_FILE
35 #endif
36 
37 #if defined(POLARSSL_AESNI_C)
38 
39 #include "polarssl/aesni.h"
40 #include <stdio.h>
41 
42 #if defined(POLARSSL_HAVE_X86_64)
43 
44 /*
45  * AES-NI support detection routine
46  */
47 int aesni_supports( unsigned int what )
48 {
49  static int done = 0;
50  static unsigned int c = 0;
51 
52  if( ! done )
53  {
54  asm( "movl $1, %%eax \n\t"
55  "cpuid \n\t"
56  : "=c" (c)
57  :
58  : "eax", "ebx", "edx" );
59  done = 1;
60  }
61 
62  return( ( c & what ) != 0 );
63 }
64 
65 /*
66  * Binutils needs to be at least 2.19 to support AES-NI instructions.
67  * Unfortunately, a lot of users have a lower version now (2014-04).
68  * Emit bytecode directly in order to support "old" version of gas.
69  *
70  * Opcodes from the Intel architecture reference manual, vol. 3.
71  * We always use registers, so we don't need prefixes for memory operands.
72  * Operand macros are in gas order (src, dst) as opposed to Intel order
73  * (dst, src) in order to blend better into the surrounding assembly code.
74  */
75 #define AESDEC ".byte 0x66,0x0F,0x38,0xDE,"
76 #define AESDECLAST ".byte 0x66,0x0F,0x38,0xDF,"
77 #define AESENC ".byte 0x66,0x0F,0x38,0xDC,"
78 #define AESENCLAST ".byte 0x66,0x0F,0x38,0xDD,"
79 #define AESIMC ".byte 0x66,0x0F,0x38,0xDB,"
80 #define AESKEYGENA ".byte 0x66,0x0F,0x3A,0xDF,"
81 #define PCLMULQDQ ".byte 0x66,0x0F,0x3A,0x44,"
82 
83 #define xmm0_xmm0 "0xC0"
84 #define xmm0_xmm1 "0xC8"
85 #define xmm0_xmm2 "0xD0"
86 #define xmm0_xmm3 "0xD8"
87 #define xmm0_xmm4 "0xE0"
88 #define xmm1_xmm0 "0xC1"
89 #define xmm1_xmm2 "0xD1"
90 
91 /*
92  * AES-NI AES-ECB block en(de)cryption
93  */
94 int aesni_crypt_ecb( aes_context *ctx,
95  int mode,
96  const unsigned char input[16],
97  unsigned char output[16] )
98 {
99  asm( "movdqu (%3), %%xmm0 \n\t" // load input
100  "movdqu (%1), %%xmm1 \n\t" // load round key 0
101  "pxor %%xmm1, %%xmm0 \n\t" // round 0
102  "addq $16, %1 \n\t" // point to next round key
103  "subl $1, %0 \n\t" // normal rounds = nr - 1
104  "test %2, %2 \n\t" // mode?
105  "jz 2f \n\t" // 0 = decrypt
106 
107  "1: \n\t" // encryption loop
108  "movdqu (%1), %%xmm1 \n\t" // load round key
109  AESENC xmm1_xmm0 "\n\t" // do round
110  "addq $16, %1 \n\t" // point to next round key
111  "subl $1, %0 \n\t" // loop
112  "jnz 1b \n\t"
113  "movdqu (%1), %%xmm1 \n\t" // load round key
114  AESENCLAST xmm1_xmm0 "\n\t" // last round
115  "jmp 3f \n\t"
116 
117  "2: \n\t" // decryption loop
118  "movdqu (%1), %%xmm1 \n\t"
119  AESDEC xmm1_xmm0 "\n\t" // do round
120  "addq $16, %1 \n\t"
121  "subl $1, %0 \n\t"
122  "jnz 2b \n\t"
123  "movdqu (%1), %%xmm1 \n\t" // load round key
124  AESDECLAST xmm1_xmm0 "\n\t" // last round
125 
126  "3: \n\t"
127  "movdqu %%xmm0, (%4) \n\t" // export output
128  :
129  : "r" (ctx->nr), "r" (ctx->rk), "r" (mode), "r" (input), "r" (output)
130  : "memory", "cc", "xmm0", "xmm1" );
131 
132 
133  return( 0 );
134 }
135 
136 /*
137  * GCM multiplication: c = a times b in GF(2^128)
138  * Based on [CLMUL-WP] algorithms 1 (with equation 27) and 5.
139  */
140 void aesni_gcm_mult( unsigned char c[16],
141  const unsigned char a[16],
142  const unsigned char b[16] )
143 {
144  unsigned char aa[16], bb[16], cc[16];
145  size_t i;
146 
147  /* The inputs are in big-endian order, so byte-reverse them */
148  for( i = 0; i < 16; i++ )
149  {
150  aa[i] = a[15 - i];
151  bb[i] = b[15 - i];
152  }
153 
154  asm( "movdqu (%0), %%xmm0 \n\t" // a1:a0
155  "movdqu (%1), %%xmm1 \n\t" // b1:b0
156 
157  /*
158  * Caryless multiplication xmm2:xmm1 = xmm0 * xmm1
159  * using [CLMUL-WP] algorithm 1 (p. 13).
160  */
161  "movdqa %%xmm1, %%xmm2 \n\t" // copy of b1:b0
162  "movdqa %%xmm1, %%xmm3 \n\t" // same
163  "movdqa %%xmm1, %%xmm4 \n\t" // same
164  PCLMULQDQ xmm0_xmm1 ",0x00 \n\t" // a0*b0 = c1:c0
165  PCLMULQDQ xmm0_xmm2 ",0x11 \n\t" // a1*b1 = d1:d0
166  PCLMULQDQ xmm0_xmm3 ",0x10 \n\t" // a0*b1 = e1:e0
167  PCLMULQDQ xmm0_xmm4 ",0x01 \n\t" // a1*b0 = f1:f0
168  "pxor %%xmm3, %%xmm4 \n\t" // e1+f1:e0+f0
169  "movdqa %%xmm4, %%xmm3 \n\t" // same
170  "psrldq $8, %%xmm4 \n\t" // 0:e1+f1
171  "pslldq $8, %%xmm3 \n\t" // e0+f0:0
172  "pxor %%xmm4, %%xmm2 \n\t" // d1:d0+e1+f1
173  "pxor %%xmm3, %%xmm1 \n\t" // c1+e0+f1:c0
174 
175  /*
176  * Now shift the result one bit to the left,
177  * taking advantage of [CLMUL-WP] eq 27 (p. 20)
178  */
179  "movdqa %%xmm1, %%xmm3 \n\t" // r1:r0
180  "movdqa %%xmm2, %%xmm4 \n\t" // r3:r2
181  "psllq $1, %%xmm1 \n\t" // r1<<1:r0<<1
182  "psllq $1, %%xmm2 \n\t" // r3<<1:r2<<1
183  "psrlq $63, %%xmm3 \n\t" // r1>>63:r0>>63
184  "psrlq $63, %%xmm4 \n\t" // r3>>63:r2>>63
185  "movdqa %%xmm3, %%xmm5 \n\t" // r1>>63:r0>>63
186  "pslldq $8, %%xmm3 \n\t" // r0>>63:0
187  "pslldq $8, %%xmm4 \n\t" // r2>>63:0
188  "psrldq $8, %%xmm5 \n\t" // 0:r1>>63
189  "por %%xmm3, %%xmm1 \n\t" // r1<<1|r0>>63:r0<<1
190  "por %%xmm4, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1
191  "por %%xmm5, %%xmm2 \n\t" // r3<<1|r2>>62:r2<<1|r1>>63
192 
193  /*
194  * Now reduce modulo the GCM polynomial x^128 + x^7 + x^2 + x + 1
195  * using [CLMUL-WP] algorithm 5 (p. 20).
196  * Currently xmm2:xmm1 holds x3:x2:x1:x0 (already shifted).
197  */
198  /* Step 2 (1) */
199  "movdqa %%xmm1, %%xmm3 \n\t" // x1:x0
200  "movdqa %%xmm1, %%xmm4 \n\t" // same
201  "movdqa %%xmm1, %%xmm5 \n\t" // same
202  "psllq $63, %%xmm3 \n\t" // x1<<63:x0<<63 = stuff:a
203  "psllq $62, %%xmm4 \n\t" // x1<<62:x0<<62 = stuff:b
204  "psllq $57, %%xmm5 \n\t" // x1<<57:x0<<57 = stuff:c
205 
206  /* Step 2 (2) */
207  "pxor %%xmm4, %%xmm3 \n\t" // stuff:a+b
208  "pxor %%xmm5, %%xmm3 \n\t" // stuff:a+b+c
209  "pslldq $8, %%xmm3 \n\t" // a+b+c:0
210  "pxor %%xmm3, %%xmm1 \n\t" // x1+a+b+c:x0 = d:x0
211 
212  /* Steps 3 and 4 */
213  "movdqa %%xmm1,%%xmm0 \n\t" // d:x0
214  "movdqa %%xmm1,%%xmm4 \n\t" // same
215  "movdqa %%xmm1,%%xmm5 \n\t" // same
216  "psrlq $1, %%xmm0 \n\t" // e1:x0>>1 = e1:e0'
217  "psrlq $2, %%xmm4 \n\t" // f1:x0>>2 = f1:f0'
218  "psrlq $7, %%xmm5 \n\t" // g1:x0>>7 = g1:g0'
219  "pxor %%xmm4, %%xmm0 \n\t" // e1+f1:e0'+f0'
220  "pxor %%xmm5, %%xmm0 \n\t" // e1+f1+g1:e0'+f0'+g0'
221  // e0'+f0'+g0' is almost e0+f0+g0, ex\tcept for some missing
222  // bits carried from d. Now get those\t bits back in.
223  "movdqa %%xmm1,%%xmm3 \n\t" // d:x0
224  "movdqa %%xmm1,%%xmm4 \n\t" // same
225  "movdqa %%xmm1,%%xmm5 \n\t" // same
226  "psllq $63, %%xmm3 \n\t" // d<<63:stuff
227  "psllq $62, %%xmm4 \n\t" // d<<62:stuff
228  "psllq $57, %%xmm5 \n\t" // d<<57:stuff
229  "pxor %%xmm4, %%xmm3 \n\t" // d<<63+d<<62:stuff
230  "pxor %%xmm5, %%xmm3 \n\t" // missing bits of d:stuff
231  "psrldq $8, %%xmm3 \n\t" // 0:missing bits of d
232  "pxor %%xmm3, %%xmm0 \n\t" // e1+f1+g1:e0+f0+g0
233  "pxor %%xmm1, %%xmm0 \n\t" // h1:h0
234  "pxor %%xmm2, %%xmm0 \n\t" // x3+h1:x2+h0
235 
236  "movdqu %%xmm0, (%2) \n\t" // done
237  :
238  : "r" (aa), "r" (bb), "r" (cc)
239  : "memory", "cc", "xmm0", "xmm1", "xmm2", "xmm3", "xmm4", "xmm5" );
240 
241  /* Now byte-reverse the outputs */
242  for( i = 0; i < 16; i++ )
243  c[i] = cc[15 - i];
244 
245  return;
246 }
247 
248 /*
249  * Compute decryption round keys from encryption round keys
250  */
251 void aesni_inverse_key( unsigned char *invkey,
252  const unsigned char *fwdkey, int nr )
253 {
254  unsigned char *ik = invkey;
255  const unsigned char *fk = fwdkey + 16 * nr;
256 
257  memcpy( ik, fk, 16 );
258 
259  for( fk -= 16, ik += 16; fk > fwdkey; fk -= 16, ik += 16 )
260  asm( "movdqu (%0), %%xmm0 \n\t"
261  AESIMC xmm0_xmm0 "\n\t"
262  "movdqu %%xmm0, (%1) \n\t"
263  :
264  : "r" (fk), "r" (ik)
265  : "memory", "xmm0" );
266 
267  memcpy( ik, fk, 16 );
268 }
269 
270 /*
271  * Key expansion, 128-bit case
272  */
273 static void aesni_setkey_enc_128( unsigned char *rk,
274  const unsigned char *key )
275 {
276  asm( "movdqu (%1), %%xmm0 \n\t" // copy the original key
277  "movdqu %%xmm0, (%0) \n\t" // as round key 0
278  "jmp 2f \n\t" // skip auxiliary routine
279 
280  /*
281  * Finish generating the next round key.
282  *
283  * On entry xmm0 is r3:r2:r1:r0 and xmm1 is X:stuff:stuff:stuff
284  * with X = rot( sub( r3 ) ) ^ RCON.
285  *
286  * On exit, xmm0 is r7:r6:r5:r4
287  * with r4 = X + r0, r5 = r4 + r1, r6 = r5 + r2, r7 = r6 + r3
288  * and those are written to the round key buffer.
289  */
290  "1: \n\t"
291  "pshufd $0xff, %%xmm1, %%xmm1 \n\t" // X:X:X:X
292  "pxor %%xmm0, %%xmm1 \n\t" // X+r3:X+r2:X+r1:r4
293  "pslldq $4, %%xmm0 \n\t" // r2:r1:r0:0
294  "pxor %%xmm0, %%xmm1 \n\t" // X+r3+r2:X+r2+r1:r5:r4
295  "pslldq $4, %%xmm0 \n\t" // etc
296  "pxor %%xmm0, %%xmm1 \n\t"
297  "pslldq $4, %%xmm0 \n\t"
298  "pxor %%xmm1, %%xmm0 \n\t" // update xmm0 for next time!
299  "add $16, %0 \n\t" // point to next round key
300  "movdqu %%xmm0, (%0) \n\t" // write it
301  "ret \n\t"
302 
303  /* Main "loop" */
304  "2: \n\t"
305  AESKEYGENA xmm0_xmm1 ",0x01 \n\tcall 1b \n\t"
306  AESKEYGENA xmm0_xmm1 ",0x02 \n\tcall 1b \n\t"
307  AESKEYGENA xmm0_xmm1 ",0x04 \n\tcall 1b \n\t"
308  AESKEYGENA xmm0_xmm1 ",0x08 \n\tcall 1b \n\t"
309  AESKEYGENA xmm0_xmm1 ",0x10 \n\tcall 1b \n\t"
310  AESKEYGENA xmm0_xmm1 ",0x20 \n\tcall 1b \n\t"
311  AESKEYGENA xmm0_xmm1 ",0x40 \n\tcall 1b \n\t"
312  AESKEYGENA xmm0_xmm1 ",0x80 \n\tcall 1b \n\t"
313  AESKEYGENA xmm0_xmm1 ",0x1B \n\tcall 1b \n\t"
314  AESKEYGENA xmm0_xmm1 ",0x36 \n\tcall 1b \n\t"
315  :
316  : "r" (rk), "r" (key)
317  : "memory", "cc", "0" );
318 }
319 
320 /*
321  * Key expansion, 192-bit case
322  */
323 static void aesni_setkey_enc_192( unsigned char *rk,
324  const unsigned char *key )
325 {
326  asm( "movdqu (%1), %%xmm0 \n\t" // copy original round key
327  "movdqu %%xmm0, (%0) \n\t"
328  "add $16, %0 \n\t"
329  "movq 16(%1), %%xmm1 \n\t"
330  "movq %%xmm1, (%0) \n\t"
331  "add $8, %0 \n\t"
332  "jmp 2f \n\t" // skip auxiliary routine
333 
334  /*
335  * Finish generating the next 6 quarter-keys.
336  *
337  * On entry xmm0 is r3:r2:r1:r0, xmm1 is stuff:stuff:r5:r4
338  * and xmm2 is stuff:stuff:X:stuff with X = rot( sub( r3 ) ) ^ RCON.
339  *
340  * On exit, xmm0 is r9:r8:r7:r6 and xmm1 is stuff:stuff:r11:r10
341  * and those are written to the round key buffer.
342  */
343  "1: \n\t"
344  "pshufd $0x55, %%xmm2, %%xmm2 \n\t" // X:X:X:X
345  "pxor %%xmm0, %%xmm2 \n\t" // X+r3:X+r2:X+r1:r4
346  "pslldq $4, %%xmm0 \n\t" // etc
347  "pxor %%xmm0, %%xmm2 \n\t"
348  "pslldq $4, %%xmm0 \n\t"
349  "pxor %%xmm0, %%xmm2 \n\t"
350  "pslldq $4, %%xmm0 \n\t"
351  "pxor %%xmm2, %%xmm0 \n\t" // update xmm0 = r9:r8:r7:r6
352  "movdqu %%xmm0, (%0) \n\t"
353  "add $16, %0 \n\t"
354  "pshufd $0xff, %%xmm0, %%xmm2 \n\t" // r9:r9:r9:r9
355  "pxor %%xmm1, %%xmm2 \n\t" // stuff:stuff:r9+r5:r10
356  "pslldq $4, %%xmm1 \n\t" // r2:r1:r0:0
357  "pxor %%xmm2, %%xmm1 \n\t" // xmm1 = stuff:stuff:r11:r10
358  "movq %%xmm1, (%0) \n\t"
359  "add $8, %0 \n\t"
360  "ret \n\t"
361 
362  "2: \n\t"
363  AESKEYGENA xmm1_xmm2 ",0x01 \n\tcall 1b \n\t"
364  AESKEYGENA xmm1_xmm2 ",0x02 \n\tcall 1b \n\t"
365  AESKEYGENA xmm1_xmm2 ",0x04 \n\tcall 1b \n\t"
366  AESKEYGENA xmm1_xmm2 ",0x08 \n\tcall 1b \n\t"
367  AESKEYGENA xmm1_xmm2 ",0x10 \n\tcall 1b \n\t"
368  AESKEYGENA xmm1_xmm2 ",0x20 \n\tcall 1b \n\t"
369  AESKEYGENA xmm1_xmm2 ",0x40 \n\tcall 1b \n\t"
370  AESKEYGENA xmm1_xmm2 ",0x80 \n\tcall 1b \n\t"
371 
372  :
373  : "r" (rk), "r" (key)
374  : "memory", "cc", "0" );
375 }
376 
377 /*
378  * Key expansion, 256-bit case
379  */
380 static void aesni_setkey_enc_256( unsigned char *rk,
381  const unsigned char *key )
382 {
383  asm( "movdqu (%1), %%xmm0 \n\t"
384  "movdqu %%xmm0, (%0) \n\t"
385  "add $16, %0 \n\t"
386  "movdqu 16(%1), %%xmm1 \n\t"
387  "movdqu %%xmm1, (%0) \n\t"
388  "jmp 2f \n\t" // skip auxiliary routine
389 
390  /*
391  * Finish generating the next two round keys.
392  *
393  * On entry xmm0 is r3:r2:r1:r0, xmm1 is r7:r6:r5:r4 and
394  * xmm2 is X:stuff:stuff:stuff with X = rot( sub( r7 )) ^ RCON
395  *
396  * On exit, xmm0 is r11:r10:r9:r8 and xmm1 is r15:r14:r13:r12
397  * and those have been written to the output buffer.
398  */
399  "1: \n\t"
400  "pshufd $0xff, %%xmm2, %%xmm2 \n\t"
401  "pxor %%xmm0, %%xmm2 \n\t"
402  "pslldq $4, %%xmm0 \n\t"
403  "pxor %%xmm0, %%xmm2 \n\t"
404  "pslldq $4, %%xmm0 \n\t"
405  "pxor %%xmm0, %%xmm2 \n\t"
406  "pslldq $4, %%xmm0 \n\t"
407  "pxor %%xmm2, %%xmm0 \n\t"
408  "add $16, %0 \n\t"
409  "movdqu %%xmm0, (%0) \n\t"
410 
411  /* Set xmm2 to stuff:Y:stuff:stuff with Y = subword( r11 )
412  * and proceed to generate next round key from there */
413  AESKEYGENA xmm0_xmm2 ",0x00 \n\t"
414  "pshufd $0xaa, %%xmm2, %%xmm2 \n\t"
415  "pxor %%xmm1, %%xmm2 \n\t"
416  "pslldq $4, %%xmm1 \n\t"
417  "pxor %%xmm1, %%xmm2 \n\t"
418  "pslldq $4, %%xmm1 \n\t"
419  "pxor %%xmm1, %%xmm2 \n\t"
420  "pslldq $4, %%xmm1 \n\t"
421  "pxor %%xmm2, %%xmm1 \n\t"
422  "add $16, %0 \n\t"
423  "movdqu %%xmm1, (%0) \n\t"
424  "ret \n\t"
425 
426  /*
427  * Main "loop" - Generating one more key than necessary,
428  * see definition of aes_context.buf
429  */
430  "2: \n\t"
431  AESKEYGENA xmm1_xmm2 ",0x01 \n\tcall 1b \n\t"
432  AESKEYGENA xmm1_xmm2 ",0x02 \n\tcall 1b \n\t"
433  AESKEYGENA xmm1_xmm2 ",0x04 \n\tcall 1b \n\t"
434  AESKEYGENA xmm1_xmm2 ",0x08 \n\tcall 1b \n\t"
435  AESKEYGENA xmm1_xmm2 ",0x10 \n\tcall 1b \n\t"
436  AESKEYGENA xmm1_xmm2 ",0x20 \n\tcall 1b \n\t"
437  AESKEYGENA xmm1_xmm2 ",0x40 \n\tcall 1b \n\t"
438  :
439  : "r" (rk), "r" (key)
440  : "memory", "cc", "0" );
441 }
442 
443 /*
444  * Key expansion, wrapper
445  */
446 int aesni_setkey_enc( unsigned char *rk,
447  const unsigned char *key,
448  size_t bits )
449 {
450  switch( bits )
451  {
452  case 128: aesni_setkey_enc_128( rk, key ); break;
453  case 192: aesni_setkey_enc_192( rk, key ); break;
454  case 256: aesni_setkey_enc_256( rk, key ); break;
455  default : return( POLARSSL_ERR_AES_INVALID_KEY_LENGTH );
456  }
457 
458  return( 0 );
459 }
460 
461 #endif /* POLARSSL_HAVE_X86_64 */
462 
463 #endif /* POLARSSL_AESNI_C */