LXR linux/arch/x86/crypto/sha256_ni

   1/*
   2 * Intel SHA Extensions optimized implementation of a SHA-256 update function
   3 *
   4 * This file is provided under a dual BSD/GPLv2 license.  When using or
   5 * redistributing this file, you may do so under either license.
   6 *
   7 * GPL LICENSE SUMMARY
   8 *
   9 * Copyright(c) 2015 Intel Corporation.
  10 *
  11 * This program is free software; you can redistribute it and/or modify
  12 * it under the terms of version 2 of the GNU General Public License as
  13 * published by the Free Software Foundation.
  14 *
  15 * This program is distributed in the hope that it will be useful, but
  16 * WITHOUT ANY WARRANTY; without even the implied warranty of
  17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  18 * General Public License for more details.
  19 *
  20 * Contact Information:
  21 *      Sean Gulley <sean.m.gulley@intel.com>
  22 *      Tim Chen <tim.c.chen@linux.intel.com>
  23 *
  24 * BSD LICENSE
  25 *
  26 * Copyright(c) 2015 Intel Corporation.
  27 *
  28 * Redistribution and use in source and binary forms, with or without
  29 * modification, are permitted provided that the following conditions
  30 * are met:
  31 *
  32 *      * Redistributions of source code must retain the above copyright
  33 *        notice, this list of conditions and the following disclaimer.
  34 *      * Redistributions in binary form must reproduce the above copyright
  35 *        notice, this list of conditions and the following disclaimer in
  36 *        the documentation and/or other materials provided with the
  37 *        distribution.
  38 *      * Neither the name of Intel Corporation nor the names of its
  39 *        contributors may be used to endorse or promote products derived
  40 *        from this software without specific prior written permission.
  41 *
  42 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  43 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  44 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
  45 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
  46 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  47 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
  48 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  49 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  50 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  51 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  52 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  53 *
  54 */
  55
  56#include <linux/linkage.h>
  57
  58#define DIGEST_PTR      %rdi    /* 1st arg */
  59#define DATA_PTR        %rsi    /* 2nd arg */
  60#define NUM_BLKS        %rdx    /* 3rd arg */
  61
  62#define SHA256CONSTANTS %rax
  63
  64#define MSG             %xmm0
  65#define STATE0          %xmm1
  66#define STATE1          %xmm2
  67#define MSGTMP0         %xmm3
  68#define MSGTMP1         %xmm4
  69#define MSGTMP2         %xmm5
  70#define MSGTMP3         %xmm6
  71#define MSGTMP4         %xmm7
  72
  73#define SHUF_MASK       %xmm8
  74
  75#define ABEF_SAVE       %xmm9
  76#define CDGH_SAVE       %xmm10
  77
  78/*
  79 * Intel SHA Extensions optimized implementation of a SHA-256 update function
  80 *
  81 * The function takes a pointer to the current hash values, a pointer to the
  82 * input data, and a number of 64 byte blocks to process.  Once all blocks have
  83 * been processed, the digest pointer is  updated with the resulting hash value.
  84 * The function only processes complete blocks, there is no functionality to
  85 * store partial blocks.  All message padding and hash value initialization must
  86 * be done outside the update function.
  87 *
  88 * The indented lines in the loop are instructions related to rounds processing.
  89 * The non-indented lines are instructions related to the message schedule.
  90 *
  91 * void sha256_ni_transform(uint32_t *digest, const void *data,
  92                uint32_t numBlocks);
  93 * digest : pointer to digest
  94 * data: pointer to input data
  95 * numBlocks: Number of blocks to process
  96 */
  97
  98.text
  99.align 32
 100SYM_FUNC_START(sha256_ni_transform)
 101
 102        shl             $6, NUM_BLKS            /*  convert to bytes */
 103        jz              .Ldone_hash
 104        add             DATA_PTR, NUM_BLKS      /* pointer to end of data */
 105
 106        /*
 107         * load initial hash values
 108         * Need to reorder these appropriately
 109         * DCBA, HGFE -> ABEF, CDGH
 110         */
 111        movdqu          0*16(DIGEST_PTR), STATE0
 112        movdqu          1*16(DIGEST_PTR), STATE1
 113
 114        pshufd          $0xB1, STATE0,  STATE0          /* CDAB */
 115        pshufd          $0x1B, STATE1,  STATE1          /* EFGH */
 116        movdqa          STATE0, MSGTMP4
 117        palignr         $8, STATE1,  STATE0             /* ABEF */
 118        pblendw         $0xF0, MSGTMP4, STATE1          /* CDGH */
 119
 120        movdqa          PSHUFFLE_BYTE_FLIP_MASK(%rip), SHUF_MASK
 121        lea             K256(%rip), SHA256CONSTANTS
 122
 123.Lloop0:
 124        /* Save hash values for addition after rounds */
 125        movdqa          STATE0, ABEF_SAVE
 126        movdqa          STATE1, CDGH_SAVE
 127
 128        /* Rounds 0-3 */
 129        movdqu          0*16(DATA_PTR), MSG
 130        pshufb          SHUF_MASK, MSG
 131        movdqa          MSG, MSGTMP0
 132                paddd           0*16(SHA256CONSTANTS), MSG
 133                sha256rnds2     STATE0, STATE1
 134                pshufd          $0x0E, MSG, MSG
 135                sha256rnds2     STATE1, STATE0
 136
 137        /* Rounds 4-7 */
 138        movdqu          1*16(DATA_PTR), MSG
 139        pshufb          SHUF_MASK, MSG
 140        movdqa          MSG, MSGTMP1
 141                paddd           1*16(SHA256CONSTANTS), MSG
 142                sha256rnds2     STATE0, STATE1
 143                pshufd          $0x0E, MSG, MSG
 144                sha256rnds2     STATE1, STATE0
 145        sha256msg1      MSGTMP1, MSGTMP0
 146
 147        /* Rounds 8-11 */
 148        movdqu          2*16(DATA_PTR), MSG
 149        pshufb          SHUF_MASK, MSG
 150        movdqa          MSG, MSGTMP2
 151                paddd           2*16(SHA256CONSTANTS), MSG
 152                sha256rnds2     STATE0, STATE1
 153                pshufd          $0x0E, MSG, MSG
 154                sha256rnds2     STATE1, STATE0
 155        sha256msg1      MSGTMP2, MSGTMP1
 156
 157        /* Rounds 12-15 */
 158        movdqu          3*16(DATA_PTR), MSG
 159        pshufb          SHUF_MASK, MSG
 160        movdqa          MSG, MSGTMP3
 161                paddd           3*16(SHA256CONSTANTS), MSG
 162                sha256rnds2     STATE0, STATE1
 163        movdqa          MSGTMP3, MSGTMP4
 164        palignr         $4, MSGTMP2, MSGTMP4
 165        paddd           MSGTMP4, MSGTMP0
 166        sha256msg2      MSGTMP3, MSGTMP0
 167                pshufd          $0x0E, MSG, MSG
 168                sha256rnds2     STATE1, STATE0
 169        sha256msg1      MSGTMP3, MSGTMP2
 170
 171        /* Rounds 16-19 */
 172        movdqa          MSGTMP0, MSG
 173                paddd           4*16(SHA256CONSTANTS), MSG
 174                sha256rnds2     STATE0, STATE1
 175        movdqa          MSGTMP0, MSGTMP4
 176        palignr         $4, MSGTMP3, MSGTMP4
 177        paddd           MSGTMP4, MSGTMP1
 178        sha256msg2      MSGTMP0, MSGTMP1
 179                pshufd          $0x0E, MSG, MSG
 180                sha256rnds2     STATE1, STATE0
 181        sha256msg1      MSGTMP0, MSGTMP3
 182
 183        /* Rounds 20-23 */
 184        movdqa          MSGTMP1, MSG
 185                paddd           5*16(SHA256CONSTANTS), MSG
 186                sha256rnds2     STATE0, STATE1
 187        movdqa          MSGTMP1, MSGTMP4
 188        palignr         $4, MSGTMP0, MSGTMP4
 189        paddd           MSGTMP4, MSGTMP2
 190        sha256msg2      MSGTMP1, MSGTMP2
 191                pshufd          $0x0E, MSG, MSG
 192                sha256rnds2     STATE1, STATE0
 193        sha256msg1      MSGTMP1, MSGTMP0
 194
 195        /* Rounds 24-27 */
 196        movdqa          MSGTMP2, MSG
 197                paddd           6*16(SHA256CONSTANTS), MSG
 198                sha256rnds2     STATE0, STATE1
 199        movdqa          MSGTMP2, MSGTMP4
 200        palignr         $4, MSGTMP1, MSGTMP4
 201        paddd           MSGTMP4, MSGTMP3
 202        sha256msg2      MSGTMP2, MSGTMP3
 203                pshufd          $0x0E, MSG, MSG
 204                sha256rnds2     STATE1, STATE0
 205        sha256msg1      MSGTMP2, MSGTMP1
 206
 207        /* Rounds 28-31 */
 208        movdqa          MSGTMP3, MSG
 209                paddd           7*16(SHA256CONSTANTS), MSG
 210                sha256rnds2     STATE0, STATE1
 211        movdqa          MSGTMP3, MSGTMP4
 212        palignr         $4, MSGTMP2, MSGTMP4
 213        paddd           MSGTMP4, MSGTMP0
 214        sha256msg2      MSGTMP3, MSGTMP0
 215                pshufd          $0x0E, MSG, MSG
 216                sha256rnds2     STATE1, STATE0
 217        sha256msg1      MSGTMP3, MSGTMP2
 218
 219        /* Rounds 32-35 */
 220        movdqa          MSGTMP0, MSG
 221                paddd           8*16(SHA256CONSTANTS), MSG
 222                sha256rnds2     STATE0, STATE1
 223        movdqa          MSGTMP0, MSGTMP4
 224        palignr         $4, MSGTMP3, MSGTMP4
 225        paddd           MSGTMP4, MSGTMP1
 226        sha256msg2      MSGTMP0, MSGTMP1
 227                pshufd          $0x0E, MSG, MSG
 228                sha256rnds2     STATE1, STATE0
 229        sha256msg1      MSGTMP0, MSGTMP3
 230
 231        /* Rounds 36-39 */
 232        movdqa          MSGTMP1, MSG
 233                paddd           9*16(SHA256CONSTANTS), MSG
 234                sha256rnds2     STATE0, STATE1
 235        movdqa          MSGTMP1, MSGTMP4
 236        palignr         $4, MSGTMP0, MSGTMP4
 237        paddd           MSGTMP4, MSGTMP2
 238        sha256msg2      MSGTMP1, MSGTMP2
 239                pshufd          $0x0E, MSG, MSG
 240                sha256rnds2     STATE1, STATE0
 241        sha256msg1      MSGTMP1, MSGTMP0
 242
 243        /* Rounds 40-43 */
 244        movdqa          MSGTMP2, MSG
 245                paddd           10*16(SHA256CONSTANTS), MSG
 246                sha256rnds2     STATE0, STATE1
 247        movdqa          MSGTMP2, MSGTMP4
 248        palignr         $4, MSGTMP1, MSGTMP4
 249        paddd           MSGTMP4, MSGTMP3
 250        sha256msg2      MSGTMP2, MSGTMP3
 251                pshufd          $0x0E, MSG, MSG
 252                sha256rnds2     STATE1, STATE0
 253        sha256msg1      MSGTMP2, MSGTMP1
 254
 255        /* Rounds 44-47 */
 256        movdqa          MSGTMP3, MSG
 257                paddd           11*16(SHA256CONSTANTS), MSG
 258                sha256rnds2     STATE0, STATE1
 259        movdqa          MSGTMP3, MSGTMP4
 260        palignr         $4, MSGTMP2, MSGTMP4
 261        paddd           MSGTMP4, MSGTMP0
 262        sha256msg2      MSGTMP3, MSGTMP0
 263                pshufd          $0x0E, MSG, MSG
 264                sha256rnds2     STATE1, STATE0
 265        sha256msg1      MSGTMP3, MSGTMP2
 266
 267        /* Rounds 48-51 */
 268        movdqa          MSGTMP0, MSG
 269                paddd           12*16(SHA256CONSTANTS), MSG
 270                sha256rnds2     STATE0, STATE1
 271        movdqa          MSGTMP0, MSGTMP4
 272        palignr         $4, MSGTMP3, MSGTMP4
 273        paddd           MSGTMP4, MSGTMP1
 274        sha256msg2      MSGTMP0, MSGTMP1
 275                pshufd          $0x0E, MSG, MSG
 276                sha256rnds2     STATE1, STATE0
 277        sha256msg1      MSGTMP0, MSGTMP3
 278
 279        /* Rounds 52-55 */
 280        movdqa          MSGTMP1, MSG
 281                paddd           13*16(SHA256CONSTANTS), MSG
 282                sha256rnds2     STATE0, STATE1
 283        movdqa          MSGTMP1, MSGTMP4
 284        palignr         $4, MSGTMP0, MSGTMP4
 285        paddd           MSGTMP4, MSGTMP2
 286        sha256msg2      MSGTMP1, MSGTMP2
 287                pshufd          $0x0E, MSG, MSG
 288                sha256rnds2     STATE1, STATE0
 289
 290        /* Rounds 56-59 */
 291        movdqa          MSGTMP2, MSG
 292                paddd           14*16(SHA256CONSTANTS), MSG
 293                sha256rnds2     STATE0, STATE1
 294        movdqa          MSGTMP2, MSGTMP4
 295        palignr         $4, MSGTMP1, MSGTMP4
 296        paddd           MSGTMP4, MSGTMP3
 297        sha256msg2      MSGTMP2, MSGTMP3
 298                pshufd          $0x0E, MSG, MSG
 299                sha256rnds2     STATE1, STATE0
 300
 301        /* Rounds 60-63 */
 302        movdqa          MSGTMP3, MSG
 303                paddd           15*16(SHA256CONSTANTS), MSG
 304                sha256rnds2     STATE0, STATE1
 305                pshufd          $0x0E, MSG, MSG
 306                sha256rnds2     STATE1, STATE0
 307
 308        /* Add current hash values with previously saved */
 309        paddd           ABEF_SAVE, STATE0
 310        paddd           CDGH_SAVE, STATE1
 311
 312        /* Increment data pointer and loop if more to process */
 313        add             $64, DATA_PTR
 314        cmp             NUM_BLKS, DATA_PTR
 315        jne             .Lloop0
 316
 317        /* Write hash values back in the correct order */
 318        pshufd          $0x1B, STATE0,  STATE0          /* FEBA */
 319        pshufd          $0xB1, STATE1,  STATE1          /* DCHG */
 320        movdqa          STATE0, MSGTMP4
 321        pblendw         $0xF0, STATE1,  STATE0          /* DCBA */
 322        palignr         $8, MSGTMP4, STATE1             /* HGFE */
 323
 324        movdqu          STATE0, 0*16(DIGEST_PTR)
 325        movdqu          STATE1, 1*16(DIGEST_PTR)
 326
 327.Ldone_hash:
 328
 329        ret
 330SYM_FUNC_END(sha256_ni_transform)
 331
 332.section        .rodata.cst256.K256, "aM", @progbits, 256
 333.align 64
 334K256:
 335        .long   0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5
 336        .long   0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5
 337        .long   0xd807aa98,0x12835b01,0x243185be,0x550c7dc3
 338        .long   0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174
 339        .long   0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc
 340        .long   0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da
 341        .long   0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7
 342        .long   0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967
 343        .long   0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13
 344        .long   0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85
 345        .long   0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3
 346        .long   0xd192e819,0xd6990624,0xf40e3585,0x106aa070
 347        .long   0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5
 348        .long   0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3
 349        .long   0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208
 350        .long   0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
 351
 352.section        .rodata.cst16.PSHUFFLE_BYTE_FLIP_MASK, "aM", @progbits, 16
 353.align 16
 354PSHUFFLE_BYTE_FLIP_MASK:
 355        .octa 0x0c0d0e0f08090a0b0405060700010203
 356