1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
|
// Copyright 2019 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
//go:build ppc64 || ppc64le
// Portions based on CRYPTOGAMS code with the following comment:
// # ====================================================================
// # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
// # project. The module is, however, dual licensed under OpenSSL and
// # CRYPTOGAMS licenses depending on where you obtain it. For further
// # details see http://www.openssl.org/~appro/cryptogams/.
// # ====================================================================
// The implementations for gcmHash, gcmInit and gcmMul are based on the generated asm
// from the script https://github.com/dot-asm/cryptogams/blob/master/ppc/ghashp8-ppc.pl
// from commit d47afb3c.
// Changes were made due to differences in the ABI and some register usage.
// Some arguments were changed due to the way the Go code passes them.
// Portions that use the stitched AES-GCM approach in counterCryptASM
// are based on code found in
// https://github.com/IBM/ipcri/blob/main/aes/p10_aes_gcm.s
#include "textflag.h"
#define XIP R3
#define HTBL R4
#define INP R5
#define LEN R6
#define XL V0
#define XM V1
#define XH V2
#define IN V3
#define ZERO V4
#define T0 V5
#define T1 V6
#define T2 V7
#define XC2 V8
#define H V9
#define HH V10
#define HL V11
#define LEMASK V12
#define XL1 V13
#define XM1 V14
#define XH1 V15
#define IN1 V16
#define H2 V17
#define H2H V18
#define H2L V19
#define XL3 V20
#define XM2 V21
#define IN2 V22
#define H3L V23
#define H3 V24
#define H3H V25
#define XH3 V26
#define XM3 V27
#define IN3 V28
#define H4L V29
#define H4 V30
#define H4H V31
#define IN0 IN
#define H21L HL
#define H21H HH
#define LOPERM H2L
#define HIPERM H2H
#define VXL VS32
#define VIN VS35
#define VXC2 VS40
#define VH VS41
#define VHH VS42
#define VHL VS43
#define VIN1 VS48
#define VH2 VS49
#define VH2H VS50
#define VH2L VS51
#define VIN2 VS54
#define VH3L VS55
#define VH3 VS56
#define VH3H VS57
#define VIN3 VS60
#define VH4L VS61
#define VH4 VS62
#define VH4H VS63
#define VIN0 VIN
#define ESPERM V10
#define TMP2 V11
// The following macros provide appropriate
// implementations for endianness as well as
// ISA specific for power8 and power9.
#ifdef GOARCH_ppc64le
# ifdef GOPPC64_power9
#define P8_LXVB16X(RA,RB,VT) LXVB16X (RA)(RB), VT
#define P8_STXVB16X(VS,RA,RB) STXVB16X VS, (RA)(RB)
# else
#define NEEDS_ESPERM
#define P8_LXVB16X(RA,RB,VT) \
LXVD2X (RA+RB), VT \
VPERM VT, VT, ESPERM, VT
#define P8_STXVB16X(VS,RA,RB) \
VPERM VS, VS, ESPERM, TMP2; \
STXVD2X TMP2, (RA+RB)
# endif
#else
#define P8_LXVB16X(RA,RB,VT) \
LXVD2X (RA+RB), VT
#define P8_STXVB16X(VS,RA,RB) \
STXVD2X VS, (RA+RB)
#endif
#define MASK_PTR R8
#define MASKV V0
#define INV V1
// The following macros are used for
// the stitched implementation within
// counterCryptASM.
// Load the initial GCM counter value
// in V30 and set up the counter increment
// in V31
#define SETUP_COUNTER \
P8_LXVB16X(COUNTER, R0, V30); \
VSPLTISB $1, V28; \
VXOR V31, V31, V31; \
VSLDOI $1, V31, V28, V31
// These macros set up the initial value
// for a single encryption, or 4 or 8
// stitched encryptions implemented
// with interleaving vciphers.
//
// The input value for each encryption
// is generated by XORing the counter
// from V30 with the first key in VS0
// and incrementing the counter.
//
// Single encryption in V15
#define GEN_VCIPHER_INPUT \
XXLOR VS0, VS0, V29 \
VXOR V30, V29, V15; \
VADDUWM V30, V31, V30
// 4 encryptions in V15 - V18
#define GEN_VCIPHER_4_INPUTS \
XXLOR VS0, VS0, V29; \
VXOR V30, V29, V15; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V16; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V17; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V18; \
VADDUWM V30, V31, V30
// 8 encryptions in V15 - V22
#define GEN_VCIPHER_8_INPUTS \
XXLOR VS0, VS0, V29; \
VXOR V30, V29, V15; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V16; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V17; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V18; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V19; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V20; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V21; \
VADDUWM V30, V31, V30; \
VXOR V30, V29, V22; \
VADDUWM V30, V31, V30
// Load the keys to be used for
// encryption based on key_len.
// Keys are in VS0 - VS14
// depending on key_len.
// Valid keys sizes are verified
// here. CR2 is set and used
// throughout to check key_len.
#define LOAD_KEYS(blk_key, key_len) \
MOVD $16, R16; \
MOVD $32, R17; \
MOVD $48, R18; \
MOVD $64, R19; \
LXVD2X (blk_key)(R0), VS0; \
LXVD2X (blk_key)(R16), VS1; \
LXVD2X (blk_key)(R17), VS2; \
LXVD2X (blk_key)(R18), VS3; \
LXVD2X (blk_key)(R19), VS4; \
ADD $64, R16; \
ADD $64, R17; \
ADD $64, R18; \
ADD $64, R19; \
LXVD2X (blk_key)(R16), VS5; \
LXVD2X (blk_key)(R17), VS6; \
LXVD2X (blk_key)(R18), VS7; \
LXVD2X (blk_key)(R19), VS8; \
ADD $64, R16; \
ADD $64, R17; \
ADD $64, R18; \
ADD $64, R19; \
LXVD2X (blk_key)(R16), VS9; \
LXVD2X (blk_key)(R17), VS10; \
CMP key_len, $12, CR2; \
CMP key_len, $10; \
BEQ keysLoaded; \
LXVD2X (blk_key)(R18), VS11; \
LXVD2X (blk_key)(R19), VS12; \
BEQ CR2, keysLoaded; \
ADD $64, R16; \
ADD $64, R17; \
LXVD2X (blk_key)(R16), VS13; \
LXVD2X (blk_key)(R17), VS14; \
CMP key_len, $14; \
BEQ keysLoaded; \
MOVD R0,0(R0); \
keysLoaded:
// Encrypt 1 (vin) with first 9
// keys from VS1 - VS9.
#define VCIPHER_1X9_KEYS(vin) \
XXLOR VS1, VS1, V23; \
XXLOR VS2, VS2, V24; \
XXLOR VS3, VS3, V25; \
XXLOR VS4, VS4, V26; \
XXLOR VS5, VS5, V27; \
VCIPHER vin, V23, vin; \
VCIPHER vin, V24, vin; \
VCIPHER vin, V25, vin; \
VCIPHER vin, V26, vin; \
VCIPHER vin, V27, vin; \
XXLOR VS6, VS6, V23; \
XXLOR VS7, VS7, V24; \
XXLOR VS8, VS8, V25; \
XXLOR VS9, VS9, V26; \
VCIPHER vin, V23, vin; \
VCIPHER vin, V24, vin; \
VCIPHER vin, V25, vin; \
VCIPHER vin, V26, vin
// Encrypt 1 value (vin) with
// 2 specified keys
#define VCIPHER_1X2_KEYS(vin, key1, key2) \
XXLOR key1, key1, V25; \
XXLOR key2, key2, V26; \
VCIPHER vin, V25, vin; \
VCIPHER vin, V26, vin
// Encrypt 4 values in V15 - V18
// with the specified key from
// VS1 - VS9.
#define VCIPHER_4X1_KEY(key) \
XXLOR key, key, V23; \
VCIPHER V15, V23, V15; \
VCIPHER V16, V23, V16; \
VCIPHER V17, V23, V17; \
VCIPHER V18, V23, V18
// Encrypt 8 values in V15 - V22
// with the specified key,
// assuming it is a VSreg
#define VCIPHER_8X1_KEY(key) \
XXLOR key, key, V23; \
VCIPHER V15, V23, V15; \
VCIPHER V16, V23, V16; \
VCIPHER V17, V23, V17; \
VCIPHER V18, V23, V18; \
VCIPHER V19, V23, V19; \
VCIPHER V20, V23, V20; \
VCIPHER V21, V23, V21; \
VCIPHER V22, V23, V22
// Load input block into V1-V4
// in big endian order and
// update blk_inp by 64.
#define LOAD_INPUT_BLOCK64(blk_inp) \
MOVD $16, R16; \
MOVD $32, R17; \
MOVD $48, R18; \
P8_LXVB16X(blk_inp,R0,V1); \
P8_LXVB16X(blk_inp,R16,V2); \
P8_LXVB16X(blk_inp,R17,V3); \
P8_LXVB16X(blk_inp,R18,V4); \
ADD $64, blk_inp
// Load input block into V1-V8
// in big endian order and
// Update blk_inp by 128
#define LOAD_INPUT_BLOCK128(blk_inp) \
MOVD $16, R16; \
MOVD $32, R17; \
MOVD $48, R18; \
MOVD $64, R19; \
MOVD $80, R20; \
MOVD $96, R21; \
MOVD $112, R22; \
P8_LXVB16X(blk_inp,R0,V1); \
P8_LXVB16X(blk_inp,R16,V2); \
P8_LXVB16X(blk_inp,R17,V3); \
P8_LXVB16X(blk_inp,R18,V4); \
P8_LXVB16X(blk_inp,R19,V5); \
P8_LXVB16X(blk_inp,R20,V6); \
P8_LXVB16X(blk_inp,R21,V7); \
P8_LXVB16X(blk_inp,R22,V8); \
ADD $128, blk_inp
// Finish encryption on 8 streams and
// XOR with input block
#define VCIPHERLAST8_XOR_INPUT \
VCIPHERLAST V15, V23, V15; \
VCIPHERLAST V16, V23, V16; \
VCIPHERLAST V17, V23, V17; \
VCIPHERLAST V18, V23, V18; \
VCIPHERLAST V19, V23, V19; \
VCIPHERLAST V20, V23, V20; \
VCIPHERLAST V21, V23, V21; \
VCIPHERLAST V22, V23, V22; \
XXLXOR V1, V15, V1; \
XXLXOR V2, V16, V2; \
XXLXOR V3, V17, V3; \
XXLXOR V4, V18, V4; \
XXLXOR V5, V19, V5; \
XXLXOR V6, V20, V6; \
XXLXOR V7, V21, V7; \
XXLXOR V8, V22, V8
// Finish encryption on 4 streams and
// XOR with input block
#define VCIPHERLAST4_XOR_INPUT \
VCIPHERLAST V15, V23, V15; \
VCIPHERLAST V16, V23, V16; \
VCIPHERLAST V17, V23, V17; \
VCIPHERLAST V18, V23, V18; \
XXLXOR V1, V15, V1; \
XXLXOR V2, V16, V2; \
XXLXOR V3, V17, V3; \
XXLXOR V4, V18, V4
// Store output block from V1-V8
// in big endian order and
// Update blk_out by 128
#define STORE_OUTPUT_BLOCK128(blk_out) \
P8_STXVB16X(V1,blk_out,R0); \
P8_STXVB16X(V2,blk_out,R16); \
P8_STXVB16X(V3,blk_out,R17); \
P8_STXVB16X(V4,blk_out,R18); \
P8_STXVB16X(V5,blk_out,R19); \
P8_STXVB16X(V6,blk_out,R20); \
P8_STXVB16X(V7,blk_out,R21); \
P8_STXVB16X(V8,blk_out,R22); \
ADD $128, blk_out
// Store output block from V1-V4
// in big endian order and
// Update blk_out by 64
#define STORE_OUTPUT_BLOCK64(blk_out) \
P8_STXVB16X(V1,blk_out,R0); \
P8_STXVB16X(V2,blk_out,R16); \
P8_STXVB16X(V3,blk_out,R17); \
P8_STXVB16X(V4,blk_out,R18); \
ADD $64, blk_out
// func gcmInit(productTable *[256]byte, h []byte)
TEXT ·gcmInit(SB), NOSPLIT, $0-32
MOVD productTable+0(FP), XIP
MOVD h+8(FP), HTBL
MOVD $0x10, R8
MOVD $0x20, R9
MOVD $0x30, R10
LXVD2X (HTBL)(R0), VH // Load H
VSPLTISB $-16, XC2 // 0xf0
VSPLTISB $1, T0 // one
VADDUBM XC2, XC2, XC2 // 0xe0
VXOR ZERO, ZERO, ZERO
VOR XC2, T0, XC2 // 0xe1
VSLDOI $15, XC2, ZERO, XC2 // 0xe1...
VSLDOI $1, ZERO, T0, T1 // ...1
VADDUBM XC2, XC2, XC2 // 0xc2...
VSPLTISB $7, T2
VOR XC2, T1, XC2 // 0xc2....01
VSPLTB $0, H, T1 // most significant byte
VSL H, T0, H // H<<=1
VSRAB T1, T2, T1 // broadcast carry bit
VAND T1, XC2, T1
VXOR H, T1, IN // twisted H
VSLDOI $8, IN, IN, H // twist even more ...
VSLDOI $8, ZERO, XC2, XC2 // 0xc2.0
VSLDOI $8, ZERO, H, HL // ... and split
VSLDOI $8, H, ZERO, HH
STXVD2X VXC2, (XIP+R0) // save pre-computed table
STXVD2X VHL, (XIP+R8)
MOVD $0x40, R8
STXVD2X VH, (XIP+R9)
MOVD $0x50, R9
STXVD2X VHH, (XIP+R10)
MOVD $0x60, R10
VPMSUMD IN, HL, XL // H.lo·H.lo
VPMSUMD IN, H, XM // H.hi·H.lo+H.lo·H.hi
VPMSUMD IN, HH, XH // H.hi·H.hi
VPMSUMD XL, XC2, T2 // 1st reduction phase
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VXOR XL, T0, XL
VXOR XH, T1, XH
VSLDOI $8, XL, XL, XL
VXOR XL, T2, XL
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VPMSUMD XL, XC2, XL
VXOR T1, XH, T1
VXOR XL, T1, IN1
VSLDOI $8, IN1, IN1, H2
VSLDOI $8, ZERO, H2, H2L
VSLDOI $8, H2, ZERO, H2H
STXVD2X VH2L, (XIP+R8) // save H^2
MOVD $0x70, R8
STXVD2X VH2, (XIP+R9)
MOVD $0x80, R9
STXVD2X VH2H, (XIP+R10)
MOVD $0x90, R10
VPMSUMD IN, H2L, XL // H.lo·H^2.lo
VPMSUMD IN1, H2L, XL1 // H^2.lo·H^2.lo
VPMSUMD IN, H2, XM // H.hi·H^2.lo+H.lo·H^2.hi
VPMSUMD IN1, H2, XM1 // H^2.hi·H^2.lo+H^2.lo·H^2.hi
VPMSUMD IN, H2H, XH // H.hi·H^2.hi
VPMSUMD IN1, H2H, XH1 // H^2.hi·H^2.hi
VPMSUMD XL, XC2, T2 // 1st reduction phase
VPMSUMD XL1, XC2, HH // 1st reduction phase
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VSLDOI $8, XM1, ZERO, HL
VSLDOI $8, ZERO, XM1, H
VXOR XL, T0, XL
VXOR XH, T1, XH
VXOR XL1, HL, XL1
VXOR XH1, H, XH1
VSLDOI $8, XL, XL, XL
VSLDOI $8, XL1, XL1, XL1
VXOR XL, T2, XL
VXOR XL1, HH, XL1
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VSLDOI $8, XL1, XL1, H // 2nd reduction phase
VPMSUMD XL, XC2, XL
VPMSUMD XL1, XC2, XL1
VXOR T1, XH, T1
VXOR H, XH1, H
VXOR XL, T1, XL
VXOR XL1, H, XL1
VSLDOI $8, XL, XL, H
VSLDOI $8, XL1, XL1, H2
VSLDOI $8, ZERO, H, HL
VSLDOI $8, H, ZERO, HH
VSLDOI $8, ZERO, H2, H2L
VSLDOI $8, H2, ZERO, H2H
STXVD2X VHL, (XIP+R8) // save H^3
MOVD $0xa0, R8
STXVD2X VH, (XIP+R9)
MOVD $0xb0, R9
STXVD2X VHH, (XIP+R10)
MOVD $0xc0, R10
STXVD2X VH2L, (XIP+R8) // save H^4
STXVD2X VH2, (XIP+R9)
STXVD2X VH2H, (XIP+R10)
RET
// func gcmHash(output []byte, productTable *[256]byte, inp []byte, len int)
TEXT ·gcmHash(SB), NOSPLIT, $0-64
MOVD output+0(FP), XIP
MOVD productTable+24(FP), HTBL
MOVD inp+32(FP), INP
MOVD len+56(FP), LEN
MOVD $0x10, R8
MOVD $0x20, R9
MOVD $0x30, R10
LXVD2X (XIP)(R0), VXL // load Xi
LXVD2X (HTBL)(R8), VHL // load pre-computed table
MOVD $0x40, R8
LXVD2X (HTBL)(R9), VH
MOVD $0x50, R9
LXVD2X (HTBL)(R10), VHH
MOVD $0x60, R10
LXVD2X (HTBL)(R0), VXC2
#ifdef GOARCH_ppc64le
LVSL (R0)(R0), LEMASK
VSPLTISB $0x07, T0
VXOR LEMASK, T0, LEMASK
VPERM XL, XL, LEMASK, XL
#endif
VXOR ZERO, ZERO, ZERO
CMPU LEN, $64
BGE gcm_ghash_p8_4x
LXVD2X (INP)(R0), VIN
ADD $16, INP, INP
SUBCCC $16, LEN, LEN
#ifdef GOARCH_ppc64le
VPERM IN, IN, LEMASK, IN
#endif
VXOR IN, XL, IN
BEQ short
LXVD2X (HTBL)(R8), VH2L // load H^2
MOVD $16, R8
LXVD2X (HTBL)(R9), VH2
ADD LEN, INP, R9 // end of input
LXVD2X (HTBL)(R10), VH2H
loop_2x:
LXVD2X (INP)(R0), VIN1
#ifdef GOARCH_ppc64le
VPERM IN1, IN1, LEMASK, IN1
#endif
SUBC $32, LEN, LEN
VPMSUMD IN, H2L, XL // H^2.lo·Xi.lo
VPMSUMD IN1, HL, XL1 // H.lo·Xi+1.lo
SUBE R11, R11, R11 // borrow?-1:0
VPMSUMD IN, H2, XM // H^2.hi·Xi.lo+H^2.lo·Xi.hi
VPMSUMD IN1, H, XM1 // H.hi·Xi+1.lo+H.lo·Xi+1.hi
AND LEN, R11, R11
VPMSUMD IN, H2H, XH // H^2.hi·Xi.hi
VPMSUMD IN1, HH, XH1 // H.hi·Xi+1.hi
ADD R11, INP, INP
VXOR XL, XL1, XL
VXOR XM, XM1, XM
VPMSUMD XL, XC2, T2 // 1st reduction phase
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VXOR XH, XH1, XH
VXOR XL, T0, XL
VXOR XH, T1, XH
VSLDOI $8, XL, XL, XL
VXOR XL, T2, XL
LXVD2X (INP)(R8), VIN
ADD $32, INP, INP
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VPMSUMD XL, XC2, XL
#ifdef GOARCH_ppc64le
VPERM IN, IN, LEMASK, IN
#endif
VXOR T1, XH, T1
VXOR IN, T1, IN
VXOR IN, XL, IN
CMP R9, INP
BGT loop_2x // done yet?
CMPWU LEN, $0
BNE even
short:
VPMSUMD IN, HL, XL // H.lo·Xi.lo
VPMSUMD IN, H, XM // H.hi·Xi.lo+H.lo·Xi.hi
VPMSUMD IN, HH, XH // H.hi·Xi.hi
VPMSUMD XL, XC2, T2 // 1st reduction phase
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VXOR XL, T0, XL
VXOR XH, T1, XH
VSLDOI $8, XL, XL, XL
VXOR XL, T2, XL
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VPMSUMD XL, XC2, XL
VXOR T1, XH, T1
even:
VXOR XL, T1, XL
#ifdef GOARCH_ppc64le
VPERM XL, XL, LEMASK, XL
#endif
STXVD2X VXL, (XIP+R0)
OR R12, R12, R12 // write out Xi
RET
gcm_ghash_p8_4x:
LVSL (R8)(R0), T0 // 0x0001..0e0f
MOVD $0x70, R8
LXVD2X (HTBL)(R9), VH2
MOVD $0x80, R9
VSPLTISB $8, T1 // 0x0808..0808
MOVD $0x90, R10
LXVD2X (HTBL)(R8), VH3L // load H^3
MOVD $0xa0, R8
LXVD2X (HTBL)(R9), VH3
MOVD $0xb0, R9
LXVD2X (HTBL)(R10), VH3H
MOVD $0xc0, R10
LXVD2X (HTBL)(R8), VH4L // load H^4
MOVD $0x10, R8
LXVD2X (HTBL)(R9), VH4
MOVD $0x20, R9
LXVD2X (HTBL)(R10), VH4H
MOVD $0x30, R10
VSLDOI $8, ZERO, T1, T2 // 0x0000..0808
VADDUBM T0, T2, HIPERM // 0x0001..1617
VADDUBM T1, HIPERM, LOPERM // 0x0809..1e1f
SRD $4, LEN, LEN // this allows to use sign bit as carry
LXVD2X (INP)(R0), VIN0 // load input
LXVD2X (INP)(R8), VIN1
SUBCCC $8, LEN, LEN
LXVD2X (INP)(R9), VIN2
LXVD2X (INP)(R10), VIN3
ADD $0x40, INP, INP
#ifdef GOARCH_ppc64le
VPERM IN0, IN0, LEMASK, IN0
VPERM IN1, IN1, LEMASK, IN1
VPERM IN2, IN2, LEMASK, IN2
VPERM IN3, IN3, LEMASK, IN3
#endif
VXOR IN0, XL, XH
VPMSUMD IN1, H3L, XL1
VPMSUMD IN1, H3, XM1
VPMSUMD IN1, H3H, XH1
VPERM H2, H, HIPERM, H21L
VPERM IN2, IN3, LOPERM, T0
VPERM H2, H, LOPERM, H21H
VPERM IN2, IN3, HIPERM, T1
VPMSUMD IN2, H2, XM2 // H^2.lo·Xi+2.hi+H^2.hi·Xi+2.lo
VPMSUMD T0, H21L, XL3 // H^2.lo·Xi+2.lo+H.lo·Xi+3.lo
VPMSUMD IN3, H, XM3 // H.hi·Xi+3.lo +H.lo·Xi+3.hi
VPMSUMD T1, H21H, XH3 // H^2.hi·Xi+2.hi+H.hi·Xi+3.hi
VXOR XM2, XM1, XM2
VXOR XL3, XL1, XL3
VXOR XM3, XM2, XM3
VXOR XH3, XH1, XH3
BLT tail_4x
loop_4x:
LXVD2X (INP)(R0), VIN0
LXVD2X (INP)(R8), VIN1
SUBCCC $4, LEN, LEN
LXVD2X (INP)(R9), VIN2
LXVD2X (INP)(R10), VIN3
ADD $0x40, INP, INP
#ifdef GOARCH_ppc64le
VPERM IN1, IN1, LEMASK, IN1
VPERM IN2, IN2, LEMASK, IN2
VPERM IN3, IN3, LEMASK, IN3
VPERM IN0, IN0, LEMASK, IN0
#endif
VPMSUMD XH, H4L, XL // H^4.lo·Xi.lo
VPMSUMD XH, H4, XM // H^4.hi·Xi.lo+H^4.lo·Xi.hi
VPMSUMD XH, H4H, XH // H^4.hi·Xi.hi
VPMSUMD IN1, H3L, XL1
VPMSUMD IN1, H3, XM1
VPMSUMD IN1, H3H, XH1
VXOR XL, XL3, XL
VXOR XM, XM3, XM
VXOR XH, XH3, XH
VPERM IN2, IN3, LOPERM, T0
VPERM IN2, IN3, HIPERM, T1
VPMSUMD XL, XC2, T2 // 1st reduction phase
VPMSUMD T0, H21L, XL3 // H.lo·Xi+3.lo +H^2.lo·Xi+2.lo
VPMSUMD T1, H21H, XH3 // H.hi·Xi+3.hi +H^2.hi·Xi+2.hi
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VXOR XL, T0, XL
VXOR XH, T1, XH
VSLDOI $8, XL, XL, XL
VXOR XL, T2, XL
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VPMSUMD IN2, H2, XM2 // H^2.hi·Xi+2.lo+H^2.lo·Xi+2.hi
VPMSUMD IN3, H, XM3 // H.hi·Xi+3.lo +H.lo·Xi+3.hi
VPMSUMD XL, XC2, XL
VXOR XL3, XL1, XL3
VXOR XH3, XH1, XH3
VXOR XH, IN0, XH
VXOR XM2, XM1, XM2
VXOR XH, T1, XH
VXOR XM3, XM2, XM3
VXOR XH, XL, XH
BGE loop_4x
tail_4x:
VPMSUMD XH, H4L, XL // H^4.lo·Xi.lo
VPMSUMD XH, H4, XM // H^4.hi·Xi.lo+H^4.lo·Xi.hi
VPMSUMD XH, H4H, XH // H^4.hi·Xi.hi
VXOR XL, XL3, XL
VXOR XM, XM3, XM
VPMSUMD XL, XC2, T2 // 1st reduction phase
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VXOR XH, XH3, XH
VXOR XL, T0, XL
VXOR XH, T1, XH
VSLDOI $8, XL, XL, XL
VXOR XL, T2, XL
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VPMSUMD XL, XC2, XL
VXOR T1, XH, T1
VXOR XL, T1, XL
ADDCCC $4, LEN, LEN
BEQ done_4x
LXVD2X (INP)(R0), VIN0
CMPU LEN, $2
MOVD $-4, LEN
BLT one
LXVD2X (INP)(R8), VIN1
BEQ two
three:
LXVD2X (INP)(R9), VIN2
#ifdef GOARCH_ppc64le
VPERM IN0, IN0, LEMASK, IN0
VPERM IN1, IN1, LEMASK, IN1
VPERM IN2, IN2, LEMASK, IN2
#endif
VXOR IN0, XL, XH
VOR H3L, H3L, H4L
VOR H3, H3, H4
VOR H3H, H3H, H4H
VPERM IN1, IN2, LOPERM, T0
VPERM IN1, IN2, HIPERM, T1
VPMSUMD IN1, H2, XM2 // H^2.lo·Xi+1.hi+H^2.hi·Xi+1.lo
VPMSUMD IN2, H, XM3 // H.hi·Xi+2.lo +H.lo·Xi+2.hi
VPMSUMD T0, H21L, XL3 // H^2.lo·Xi+1.lo+H.lo·Xi+2.lo
VPMSUMD T1, H21H, XH3 // H^2.hi·Xi+1.hi+H.hi·Xi+2.hi
VXOR XM3, XM2, XM3
JMP tail_4x
two:
#ifdef GOARCH_ppc64le
VPERM IN0, IN0, LEMASK, IN0
VPERM IN1, IN1, LEMASK, IN1
#endif
VXOR IN, XL, XH
VPERM ZERO, IN1, LOPERM, T0
VPERM ZERO, IN1, HIPERM, T1
VSLDOI $8, ZERO, H2, H4L
VOR H2, H2, H4
VSLDOI $8, H2, ZERO, H4H
VPMSUMD T0, H21L, XL3 // H.lo·Xi+1.lo
VPMSUMD IN1, H, XM3 // H.hi·Xi+1.lo+H.lo·Xi+2.hi
VPMSUMD T1, H21H, XH3 // H.hi·Xi+1.hi
JMP tail_4x
one:
#ifdef GOARCH_ppc64le
VPERM IN0, IN0, LEMASK, IN0
#endif
VSLDOI $8, ZERO, H, H4L
VOR H, H, H4
VSLDOI $8, H, ZERO, H4H
VXOR IN0, XL, XH
VXOR XL3, XL3, XL3
VXOR XM3, XM3, XM3
VXOR XH3, XH3, XH3
JMP tail_4x
done_4x:
#ifdef GOARCH_ppc64le
VPERM XL, XL, LEMASK, XL
#endif
STXVD2X VXL, (XIP+R0) // write out Xi
RET
// func gcmMul(output []byte, productTable *[256]byte)
TEXT ·gcmMul(SB), NOSPLIT, $0-32
MOVD output+0(FP), XIP
MOVD productTable+24(FP), HTBL
MOVD $0x10, R8
MOVD $0x20, R9
MOVD $0x30, R10
LXVD2X (XIP)(R0), VIN // load Xi
LXVD2X (HTBL)(R8), VHL // Load pre-computed table
LXVD2X (HTBL)(R9), VH
LXVD2X (HTBL)(R10), VHH
LXVD2X (HTBL)(R0), VXC2
#ifdef GOARCH_ppc64le
VSPLTISB $0x07, T0
VXOR LEMASK, T0, LEMASK
VPERM IN, IN, LEMASK, IN
#endif
VXOR ZERO, ZERO, ZERO
VPMSUMD IN, HL, XL // H.lo·Xi.lo
VPMSUMD IN, H, XM // H.hi·Xi.lo+H.lo·Xi.hi
VPMSUMD IN, HH, XH // H.hi·Xi.hi
VPMSUMD XL, XC2, T2 // 1st reduction phase
VSLDOI $8, XM, ZERO, T0
VSLDOI $8, ZERO, XM, T1
VXOR XL, T0, XL
VXOR XH, T1, XH
VSLDOI $8, XL, XL, XL
VXOR XL, T2, XL
VSLDOI $8, XL, XL, T1 // 2nd reduction phase
VPMSUMD XL, XC2, XL
VXOR T1, XH, T1
VXOR XL, T1, XL
#ifdef GOARCH_ppc64le
VPERM XL, XL, LEMASK, XL
#endif
STXVD2X VXL, (XIP+R0) // write out Xi
RET
#define BLK_INP R3
#define BLK_OUT R4
#define BLK_KEY R5
#define KEY_LEN R6
#define BLK_IDX R7
#define IDX R8
#define IN_LEN R9
#define COUNTER R10
#define CONPTR R14
#define MASK V5
// Implementation of the counterCrypt function in assembler.
// Original loop is unrolled to allow for multiple encryption
// streams to be done in parallel, which is achieved by interleaving
// vcipher instructions from each stream. This is also referred to as
// stitching, and provides significant performance improvements.
// Some macros are defined which enable execution for big or little
// endian as well as different ISA targets.
//func (g *gcmAsm) counterCrypt(out, in []byte, counter *[gcmBlockSize]byte, key[gcmBlockSize]uint32)
//func counterCryptASM(xr, out, in, counter, key)
TEXT ·counterCryptASM(SB), NOSPLIT, $16-72
MOVD xr(FP), KEY_LEN
MOVD out+8(FP), BLK_OUT
MOVD out_len+16(FP), R8
MOVD in+32(FP), BLK_INP
MOVD in_len+40(FP), IN_LEN
MOVD counter+56(FP), COUNTER
MOVD key+64(FP), BLK_KEY
// Set up permute string when needed.
#ifdef NEEDS_ESPERM
MOVD $·rcon(SB), R14
LVX (R14), ESPERM // Permute value for P8_ macros.
#endif
SETUP_COUNTER // V30 Counter V31 BE {0, 0, 0, 1}
LOAD_KEYS(BLK_KEY, KEY_LEN) // VS1 - VS10/12/14 based on keysize
CMP IN_LEN, $128
BLT block64
block128_loop:
// Do 8 encryptions in parallel by setting
// input values in V15-V22 and executing
// vcipher on the updated value and the keys.
GEN_VCIPHER_8_INPUTS
VCIPHER_8X1_KEY(VS1)
VCIPHER_8X1_KEY(VS2)
VCIPHER_8X1_KEY(VS3)
VCIPHER_8X1_KEY(VS4)
VCIPHER_8X1_KEY(VS5)
VCIPHER_8X1_KEY(VS6)
VCIPHER_8X1_KEY(VS7)
VCIPHER_8X1_KEY(VS8)
VCIPHER_8X1_KEY(VS9)
// Additional encryptions are done based on
// the key length, with the last key moved
// to V23 for use with VCIPHERLAST.
// CR2 = CMP key_len, $12
XXLOR VS10, VS10, V23
BLT CR2, block128_last // key_len = 10
VCIPHER_8X1_KEY(VS10)
VCIPHER_8X1_KEY(VS11)
XXLOR VS12,VS12,V23
BEQ CR2, block128_last // ken_len = 12
VCIPHER_8X1_KEY(VS12)
VCIPHER_8X1_KEY(VS13)
XXLOR VS14,VS14,V23 // key_len = 14
block128_last:
// vcipher encryptions are in V15-V22 at this
// point with vcipherlast remaining to be done.
// Load input block into V1-V8, setting index offsets
// in R16-R22 to use with the STORE.
LOAD_INPUT_BLOCK128(BLK_INP)
// Do VCIPHERLAST on the last key for each encryption
// stream and XOR the result with the corresponding
// value from the input block.
VCIPHERLAST8_XOR_INPUT
// Store the results (8*16) and update BLK_OUT by 128.
STORE_OUTPUT_BLOCK128(BLK_OUT)
ADD $-128, IN_LEN // input size
CMP IN_LEN, $128 // check if >= blocksize
BGE block128_loop // next input block
CMP IN_LEN, $0
BEQ done
block64:
CMP IN_LEN, $64 // Check if >= 64
BLT block16_loop
// Do 4 encryptions in parallel by setting
// input values in V15-V18 and executing
// vcipher on the updated value and the keys.
GEN_VCIPHER_4_INPUTS
VCIPHER_4X1_KEY(VS1)
VCIPHER_4X1_KEY(VS2)
VCIPHER_4X1_KEY(VS3)
VCIPHER_4X1_KEY(VS4)
VCIPHER_4X1_KEY(VS5)
VCIPHER_4X1_KEY(VS6)
VCIPHER_4X1_KEY(VS7)
VCIPHER_4X1_KEY(VS8)
VCIPHER_4X1_KEY(VS9)
// Check key length based on CR2
// Move last key to V23 for use with later vcipherlast
XXLOR VS10, VS10, V23
BLT CR2, block64_last // size = 10
VCIPHER_4X1_KEY(VS10) // Encrypt next 2 keys
VCIPHER_4X1_KEY(VS11)
XXLOR VS12, VS12, V23
BEQ CR2, block64_last // size = 12
VCIPHER_4X1_KEY(VS12) // Encrypt last 2 keys
VCIPHER_4X1_KEY(VS13)
XXLOR VS14, VS14, V23 // size = 14
block64_last:
LOAD_INPUT_BLOCK64(BLK_INP) // Load 64 bytes of input
// Do VCIPHERLAST on the last for each encryption
// stream and XOR the result with the corresponding
// value from the input block.
VCIPHERLAST4_XOR_INPUT
// Store the results (4*16) and update BLK_OUT by 64.
STORE_OUTPUT_BLOCK64(BLK_OUT)
ADD $-64, IN_LEN // decrement input block length
CMP IN_LEN, $0 // check for remaining length
BEQ done
block16_loop:
CMP IN_LEN, $16 // More input
BLT final_block // If not, then handle partial block
// Single encryption, no stitching
GEN_VCIPHER_INPUT // Generate input value for single encryption
VCIPHER_1X9_KEYS(V15) // Encrypt V15 value with 9 keys
XXLOR VS10, VS10, V23 // Last key -> V23 for later vcipiherlast
// Key length based on CR2. (LT=10, EQ=12, GT=14)
BLT CR2, block16_last // Finish for key size 10
VCIPHER_1X2_KEYS(V15, VS10, VS11) // Encrypt V15 with 2 more keys
XXLOR VS12, VS12, V23 // Last key -> V23 for later vcipherlast
BEQ CR2, block16_last // Finish for key size 12
VCIPHER_1X2_KEYS(V15, VS12, VS13) // Encrypt V15 with last 2 keys
XXLOR VS14, VS14, V23 // Last key -> V23 for vcipherlast with key size 14
block16_last:
P8_LXVB16X(BLK_INP, R0, V1) // Load input
VCIPHERLAST V15, V23, V15 // Encrypt last value in V23
XXLXOR V15, V1, V1 // XOR with input
P8_STXVB16X(V1,R0,BLK_OUT) // Store final encryption value to output
ADD $16, BLK_INP // Increment input pointer
ADD $16, BLK_OUT // Increment output pointer
ADD $-16, IN_LEN // Decrement input length
BR block16_loop // Check for next
final_block:
CMP IN_LEN, $0
BEQ done
GEN_VCIPHER_INPUT // Generate input value for partial encryption
VCIPHER_1X9_KEYS(V15) // Encrypt V15 with 9 keys
XXLOR VS10, VS10, V23 // Save possible last key
BLT CR2, final_block_last
VCIPHER_1X2_KEYS(V15, VS10, VS11) // Encrypt V15 with next 2 keys
XXLOR VS12, VS12, V23 // Save possible last key
BEQ CR2, final_block_last
VCIPHER_1X2_KEYS(V15, VS12, VS13) // Encrypt V15 with last 2 keys
XXLOR VS14, VS14, V23 // Save last key
final_block_last:
VCIPHERLAST V15, V23, V15 // Finish encryption
#ifdef GOPPC64_power10
// set up length
SLD $56, IN_LEN, R17
LXVLL BLK_INP, R17, V25
VXOR V25, V15, V25
STXVLL V25, BLK_OUT, R17
#else
ADD $32, R1, MASK_PTR
MOVD $0, R16
P8_STXVB16X(V15, MASK_PTR, R0)
CMP IN_LEN, $8
BLT next4
MOVD 0(MASK_PTR), R14
MOVD 0(BLK_INP), R15
XOR R14, R15, R14
MOVD R14, 0(BLK_OUT)
ADD $8, R16
ADD $-8, IN_LEN
next4:
CMP IN_LEN, $4
BLT next2
MOVWZ (BLK_INP)(R16), R15
MOVWZ (MASK_PTR)(R16), R14
XOR R14, R15, R14
MOVW R14, (R16)(BLK_OUT)
ADD $4, R16
ADD $-4, IN_LEN
next2:
CMP IN_LEN, $2
BLT next1
MOVHZ (BLK_INP)(R16), R15
MOVHZ (MASK_PTR)(R16), R14
XOR R14, R15, R14
MOVH R14, (R16)(BLK_OUT)
ADD $2, R16
ADD $-2, IN_LEN
next1:
CMP IN_LEN, $1
BLT done
MOVBZ (MASK_PTR)(R16), R14
MOVBZ (BLK_INP)(R16), R15
XOR R14, R15, R14
MOVB R14, (R16)(BLK_OUT)
#endif
done:
// Save the updated counter value
P8_STXVB16X(V30, COUNTER, R0)
// Clear the keys
XXLXOR VS0, VS0, VS0
XXLXOR VS1, VS1, VS1
XXLXOR VS2, VS2, VS2
XXLXOR VS3, VS3, VS3
XXLXOR VS4, VS4, VS4
XXLXOR VS5, VS5, VS5
XXLXOR VS6, VS6, VS6
XXLXOR VS7, VS7, VS7
XXLXOR VS8, VS8, VS8
XXLXOR VS9, VS9, VS9
XXLXOR VS10, VS10, VS10
XXLXOR VS11, VS11, VS11
XXLXOR VS12, VS12, VS12
XXLXOR VS13, VS13, VS13
XXLXOR VS14, VS14, VS14
RET
|
