xref: /linux/arch/arm/crypto/blake2b-neon-core.S (revision 2da68a77) 
1/* SPDX-License-Identifier: GPL-2.0-or-later */
2/*
3 * BLAKE2b digest algorithm, NEON accelerated
4 *
5 * Copyright 2020 Google LLC
6 *
7 * Author: Eric Biggers <ebiggers@google.com>
8 */
9
10#include <linux/linkage.h>
11
12	.text
13	.fpu		neon
14
15	// The arguments to blake2b_compress_neon()
16	STATE		.req	r0
17	BLOCK		.req	r1
18	NBLOCKS		.req	r2
19	INC		.req	r3
20
21	// Pointers to the rotation tables
22	ROR24_TABLE	.req	r4
23	ROR16_TABLE	.req	r5
24
25	// The original stack pointer
26	ORIG_SP		.req	r6
27
28	// NEON registers which contain the message words of the current block.
29	// M_0-M_3 are occasionally used for other purposes too.
30	M_0		.req	d16
31	M_1		.req	d17
32	M_2		.req	d18
33	M_3		.req	d19
34	M_4		.req	d20
35	M_5		.req	d21
36	M_6		.req	d22
37	M_7		.req	d23
38	M_8		.req	d24
39	M_9		.req	d25
40	M_10		.req	d26
41	M_11		.req	d27
42	M_12		.req	d28
43	M_13		.req	d29
44	M_14		.req	d30
45	M_15		.req	d31
46
47	.align		4
48	// Tables for computing ror64(x, 24) and ror64(x, 16) using the vtbl.8
49	// instruction.  This is the most efficient way to implement these
50	// rotation amounts with NEON.  (On Cortex-A53 it's the same speed as
51	// vshr.u64 + vsli.u64, while on Cortex-A7 it's faster.)
52.Lror24_table:
53	.byte		3, 4, 5, 6, 7, 0, 1, 2
54.Lror16_table:
55	.byte		2, 3, 4, 5, 6, 7, 0, 1
56	// The BLAKE2b initialization vector
57.Lblake2b_IV:
58	.quad		0x6a09e667f3bcc908, 0xbb67ae8584caa73b
59	.quad		0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1
60	.quad		0x510e527fade682d1, 0x9b05688c2b3e6c1f
61	.quad		0x1f83d9abfb41bd6b, 0x5be0cd19137e2179
62
63// Execute one round of BLAKE2b by updating the state matrix v[0..15] in the
64// NEON registers q0-q7.  The message block is in q8..q15 (M_0-M_15).  The stack
65// pointer points to a 32-byte aligned buffer containing a copy of q8 and q9
66// (M_0-M_3), so that they can be reloaded if they are used as temporary
67// registers.  The macro arguments s0-s15 give the order in which the message
68// words are used in this round.  'final' is 1 if this is the final round.
69.macro	_blake2b_round	s0, s1, s2, s3, s4, s5, s6, s7, \
70			s8, s9, s10, s11, s12, s13, s14, s15, final=0
71
72	// Mix the columns:
73	// (v[0], v[4], v[8], v[12]), (v[1], v[5], v[9], v[13]),
74	// (v[2], v[6], v[10], v[14]), and (v[3], v[7], v[11], v[15]).
75
76	// a += b + m[blake2b_sigma[r][2*i + 0]];
77	vadd.u64	q0, q0, q2
78	vadd.u64	q1, q1, q3
79	vadd.u64	d0, d0, M_\s0
80	vadd.u64	d1, d1, M_\s2
81	vadd.u64	d2, d2, M_\s4
82	vadd.u64	d3, d3, M_\s6
83
84	// d = ror64(d ^ a, 32);
85	veor		q6, q6, q0
86	veor		q7, q7, q1
87	vrev64.32	q6, q6
88	vrev64.32	q7, q7
89
90	// c += d;
91	vadd.u64	q4, q4, q6
92	vadd.u64	q5, q5, q7
93
94	// b = ror64(b ^ c, 24);
95	vld1.8		{M_0}, [ROR24_TABLE, :64]
96	veor		q2, q2, q4
97	veor		q3, q3, q5
98	vtbl.8		d4, {d4}, M_0
99	vtbl.8		d5, {d5}, M_0
100	vtbl.8		d6, {d6}, M_0
101	vtbl.8		d7, {d7}, M_0
102
103	// a += b + m[blake2b_sigma[r][2*i + 1]];
104	//
105	// M_0 got clobbered above, so we have to reload it if any of the four
106	// message words this step needs happens to be M_0.  Otherwise we don't
107	// need to reload it here, as it will just get clobbered again below.
108.if \s1 == 0 || \s3 == 0 || \s5 == 0 || \s7 == 0
109	vld1.8		{M_0}, [sp, :64]
110.endif
111	vadd.u64	q0, q0, q2
112	vadd.u64	q1, q1, q3
113	vadd.u64	d0, d0, M_\s1
114	vadd.u64	d1, d1, M_\s3
115	vadd.u64	d2, d2, M_\s5
116	vadd.u64	d3, d3, M_\s7
117
118	// d = ror64(d ^ a, 16);
119	vld1.8		{M_0}, [ROR16_TABLE, :64]
120	veor		q6, q6, q0
121	veor		q7, q7, q1
122	vtbl.8		d12, {d12}, M_0
123	vtbl.8		d13, {d13}, M_0
124	vtbl.8		d14, {d14}, M_0
125	vtbl.8		d15, {d15}, M_0
126
127	// c += d;
128	vadd.u64	q4, q4, q6
129	vadd.u64	q5, q5, q7
130
131	// b = ror64(b ^ c, 63);
132	//
133	// This rotation amount isn't a multiple of 8, so it has to be
134	// implemented using a pair of shifts, which requires temporary
135	// registers.  Use q8-q9 (M_0-M_3) for this, and reload them afterwards.
136	veor		q8, q2, q4
137	veor		q9, q3, q5
138	vshr.u64	q2, q8, #63
139	vshr.u64	q3, q9, #63
140	vsli.u64	q2, q8, #1
141	vsli.u64	q3, q9, #1
142	vld1.8		{q8-q9}, [sp, :256]
143
144	// Mix the diagonals:
145	// (v[0], v[5], v[10], v[15]), (v[1], v[6], v[11], v[12]),
146	// (v[2], v[7], v[8], v[13]), and (v[3], v[4], v[9], v[14]).
147	//
148	// There are two possible ways to do this: use 'vext' instructions to
149	// shift the rows of the matrix so that the diagonals become columns,
150	// and undo it afterwards; or just use 64-bit operations on 'd'
151	// registers instead of 128-bit operations on 'q' registers.  We use the
152	// latter approach, as it performs much better on Cortex-A7.
153
154	// a += b + m[blake2b_sigma[r][2*i + 0]];
155	vadd.u64	d0, d0, d5
156	vadd.u64	d1, d1, d6
157	vadd.u64	d2, d2, d7
158	vadd.u64	d3, d3, d4
159	vadd.u64	d0, d0, M_\s8
160	vadd.u64	d1, d1, M_\s10
161	vadd.u64	d2, d2, M_\s12
162	vadd.u64	d3, d3, M_\s14
163
164	// d = ror64(d ^ a, 32);
165	veor		d15, d15, d0
166	veor		d12, d12, d1
167	veor		d13, d13, d2
168	veor		d14, d14, d3
169	vrev64.32	d15, d15
170	vrev64.32	d12, d12
171	vrev64.32	d13, d13
172	vrev64.32	d14, d14
173
174	// c += d;
175	vadd.u64	d10, d10, d15
176	vadd.u64	d11, d11, d12
177	vadd.u64	d8, d8, d13
178	vadd.u64	d9, d9, d14
179
180	// b = ror64(b ^ c, 24);
181	vld1.8		{M_0}, [ROR24_TABLE, :64]
182	veor		d5, d5, d10
183	veor		d6, d6, d11
184	veor		d7, d7, d8
185	veor		d4, d4, d9
186	vtbl.8		d5, {d5}, M_0
187	vtbl.8		d6, {d6}, M_0
188	vtbl.8		d7, {d7}, M_0
189	vtbl.8		d4, {d4}, M_0
190
191	// a += b + m[blake2b_sigma[r][2*i + 1]];
192.if \s9 == 0 || \s11 == 0 || \s13 == 0 || \s15 == 0
193	vld1.8		{M_0}, [sp, :64]
194.endif
195	vadd.u64	d0, d0, d5
196	vadd.u64	d1, d1, d6
197	vadd.u64	d2, d2, d7
198	vadd.u64	d3, d3, d4
199	vadd.u64	d0, d0, M_\s9
200	vadd.u64	d1, d1, M_\s11
201	vadd.u64	d2, d2, M_\s13
202	vadd.u64	d3, d3, M_\s15
203
204	// d = ror64(d ^ a, 16);
205	vld1.8		{M_0}, [ROR16_TABLE, :64]
206	veor		d15, d15, d0
207	veor		d12, d12, d1
208	veor		d13, d13, d2
209	veor		d14, d14, d3
210	vtbl.8		d12, {d12}, M_0
211	vtbl.8		d13, {d13}, M_0
212	vtbl.8		d14, {d14}, M_0
213	vtbl.8		d15, {d15}, M_0
214
215	// c += d;
216	vadd.u64	d10, d10, d15
217	vadd.u64	d11, d11, d12
218	vadd.u64	d8, d8, d13
219	vadd.u64	d9, d9, d14
220
221	// b = ror64(b ^ c, 63);
222	veor		d16, d4, d9
223	veor		d17, d5, d10
224	veor		d18, d6, d11
225	veor		d19, d7, d8
226	vshr.u64	q2, q8, #63
227	vshr.u64	q3, q9, #63
228	vsli.u64	q2, q8, #1
229	vsli.u64	q3, q9, #1
230	// Reloading q8-q9 can be skipped on the final round.
231.if ! \final
232	vld1.8		{q8-q9}, [sp, :256]
233.endif
234.endm
235
236//
237// void blake2b_compress_neon(struct blake2b_state *state,
238//			      const u8 *block, size_t nblocks, u32 inc);
239//
240// Only the first three fields of struct blake2b_state are used:
241//	u64 h[8];	(inout)
242//	u64 t[2];	(inout)
243//	u64 f[2];	(in)
244//
245	.align		5
246ENTRY(blake2b_compress_neon)
247	push		{r4-r10}
248
249	// Allocate a 32-byte stack buffer that is 32-byte aligned.
250	mov		ORIG_SP, sp
251	sub		ip, sp, #32
252	bic		ip, ip, #31
253	mov		sp, ip
254
255	adr		ROR24_TABLE, .Lror24_table
256	adr		ROR16_TABLE, .Lror16_table
257
258	mov		ip, STATE
259	vld1.64		{q0-q1}, [ip]!		// Load h[0..3]
260	vld1.64		{q2-q3}, [ip]!		// Load h[4..7]
261.Lnext_block:
262	  adr		r10, .Lblake2b_IV
263	vld1.64		{q14-q15}, [ip]		// Load t[0..1] and f[0..1]
264	vld1.64		{q4-q5}, [r10]!		// Load IV[0..3]
265	  vmov		r7, r8, d28		// Copy t[0] to (r7, r8)
266	vld1.64		{q6-q7}, [r10]		// Load IV[4..7]
267	  adds		r7, r7, INC		// Increment counter
268	bcs		.Lslow_inc_ctr
269	vmov.i32	d28[0], r7
270	vst1.64		{d28}, [ip]		// Update t[0]
271.Linc_ctr_done:
272
273	// Load the next message block and finish initializing the state matrix
274	// 'v'.  Fortunately, there are exactly enough NEON registers to fit the
275	// entire state matrix in q0-q7 and the entire message block in q8-15.
276	//
277	// However, _blake2b_round also needs some extra registers for rotates,
278	// so we have to spill some registers.  It's better to spill the message
279	// registers than the state registers, as the message doesn't change.
280	// Therefore we store a copy of the first 32 bytes of the message block
281	// (q8-q9) in an aligned buffer on the stack so that they can be
282	// reloaded when needed.  (We could just reload directly from the
283	// message buffer, but it's faster to use aligned loads.)
284	vld1.8		{q8-q9}, [BLOCK]!
285	  veor		q6, q6, q14	// v[12..13] = IV[4..5] ^ t[0..1]
286	vld1.8		{q10-q11}, [BLOCK]!
287	  veor		q7, q7, q15	// v[14..15] = IV[6..7] ^ f[0..1]
288	vld1.8		{q12-q13}, [BLOCK]!
289	vst1.8		{q8-q9}, [sp, :256]
290	  mov		ip, STATE
291	vld1.8		{q14-q15}, [BLOCK]!
292
293	// Execute the rounds.  Each round is provided the order in which it
294	// needs to use the message words.
295	_blake2b_round	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
296	_blake2b_round	14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3
297	_blake2b_round	11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4
298	_blake2b_round	7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8
299	_blake2b_round	9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13
300	_blake2b_round	2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9
301	_blake2b_round	12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11
302	_blake2b_round	13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10
303	_blake2b_round	6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5
304	_blake2b_round	10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0
305	_blake2b_round	0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
306	_blake2b_round	14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 \
307			final=1
308
309	// Fold the final state matrix into the hash chaining value:
310	//
311	//	for (i = 0; i < 8; i++)
312	//		h[i] ^= v[i] ^ v[i + 8];
313	//
314	  vld1.64	{q8-q9}, [ip]!		// Load old h[0..3]
315	veor		q0, q0, q4		// v[0..1] ^= v[8..9]
316	veor		q1, q1, q5		// v[2..3] ^= v[10..11]
317	  vld1.64	{q10-q11}, [ip]		// Load old h[4..7]
318	veor		q2, q2, q6		// v[4..5] ^= v[12..13]
319	veor		q3, q3, q7		// v[6..7] ^= v[14..15]
320	veor		q0, q0, q8		// v[0..1] ^= h[0..1]
321	veor		q1, q1, q9		// v[2..3] ^= h[2..3]
322	  mov		ip, STATE
323	  subs		NBLOCKS, NBLOCKS, #1	// nblocks--
324	  vst1.64	{q0-q1}, [ip]!		// Store new h[0..3]
325	veor		q2, q2, q10		// v[4..5] ^= h[4..5]
326	veor		q3, q3, q11		// v[6..7] ^= h[6..7]
327	  vst1.64	{q2-q3}, [ip]!		// Store new h[4..7]
328
329	// Advance to the next block, if there is one.
330	bne		.Lnext_block		// nblocks != 0?
331
332	mov		sp, ORIG_SP
333	pop		{r4-r10}
334	mov		pc, lr
335
336.Lslow_inc_ctr:
337	// Handle the case where the counter overflowed its low 32 bits, by
338	// carrying the overflow bit into the full 128-bit counter.
339	vmov		r9, r10, d29
340	adcs		r8, r8, #0
341	adcs		r9, r9, #0
342	adc		r10, r10, #0
343	vmov		d28, r7, r8
344	vmov		d29, r9, r10
345	vst1.64		{q14}, [ip]		// Update t[0] and t[1]
346	b		.Linc_ctr_done
347ENDPROC(blake2b_compress_neon)
348