19d935509SArd Biesheuvel /* 29d935509SArd Biesheuvel * crypto_helper.c - emulate v8 Crypto Extensions instructions 39d935509SArd Biesheuvel * 490b827d1SArd Biesheuvel * Copyright (C) 2013 - 2018 Linaro Ltd <ard.biesheuvel@linaro.org> 59d935509SArd Biesheuvel * 69d935509SArd Biesheuvel * This library is free software; you can redistribute it and/or 79d935509SArd Biesheuvel * modify it under the terms of the GNU Lesser General Public 89d935509SArd Biesheuvel * License as published by the Free Software Foundation; either 950f57e09SChetan Pant * version 2.1 of the License, or (at your option) any later version. 109d935509SArd Biesheuvel */ 119d935509SArd Biesheuvel 1274c21bd0SPeter Maydell #include "qemu/osdep.h" 139d935509SArd Biesheuvel 149d935509SArd Biesheuvel #include "cpu.h" 152ef6175aSRichard Henderson #include "exec/helper-proto.h" 16a04b68e1SRichard Henderson #include "tcg/tcg-gvec-desc.h" 176f2945cdSDaniel P. Berrange #include "crypto/aes.h" 18552d8924SRichard Henderson #include "crypto/aes-round.h" 19c29da5a7SWeiwei Li #include "crypto/sm4.h" 20a04b68e1SRichard Henderson #include "vec_internal.h" 219d935509SArd Biesheuvel 22f1ecb913SArd Biesheuvel union CRYPTO_STATE { 239d935509SArd Biesheuvel uint8_t bytes[16]; 24f1ecb913SArd Biesheuvel uint32_t words[4]; 259d935509SArd Biesheuvel uint64_t l[2]; 269d935509SArd Biesheuvel }; 279d935509SArd Biesheuvel 28e03b5686SMarc-André Lureau #if HOST_BIG_ENDIAN 29afc8b7d3SRichard Henderson #define CR_ST_BYTE(state, i) ((state).bytes[(15 - (i)) ^ 8]) 30afc8b7d3SRichard Henderson #define CR_ST_WORD(state, i) ((state).words[(3 - (i)) ^ 2]) 31b449ca3cSArd Biesheuvel #else 32afc8b7d3SRichard Henderson #define CR_ST_BYTE(state, i) ((state).bytes[i]) 33afc8b7d3SRichard Henderson #define CR_ST_WORD(state, i) ((state).words[i]) 34b449ca3cSArd Biesheuvel #endif 35b449ca3cSArd Biesheuvel 36aaffebd6SRichard Henderson /* 37aaffebd6SRichard Henderson * The caller has not been converted to full gvec, and so only 38aaffebd6SRichard Henderson * modifies the low 16 bytes of the vector register. 39aaffebd6SRichard Henderson */ 40aaffebd6SRichard Henderson static void clear_tail_16(void *vd, uint32_t desc) 41aaffebd6SRichard Henderson { 42aaffebd6SRichard Henderson int opr_sz = simd_oprsz(desc); 43aaffebd6SRichard Henderson int max_sz = simd_maxsz(desc); 44aaffebd6SRichard Henderson 45aaffebd6SRichard Henderson assert(opr_sz == 16); 46aaffebd6SRichard Henderson clear_tail(vd, opr_sz, max_sz); 47aaffebd6SRichard Henderson } 48aaffebd6SRichard Henderson 49552d8924SRichard Henderson static const AESState aes_zero = { }; 50552d8924SRichard Henderson 51a04b68e1SRichard Henderson void HELPER(crypto_aese)(void *vd, void *vn, void *vm, uint32_t desc) 52a04b68e1SRichard Henderson { 53a04b68e1SRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 54a04b68e1SRichard Henderson 55a04b68e1SRichard Henderson for (i = 0; i < opr_sz; i += 16) { 56552d8924SRichard Henderson AESState *ad = (AESState *)(vd + i); 57552d8924SRichard Henderson AESState *st = (AESState *)(vn + i); 58552d8924SRichard Henderson AESState *rk = (AESState *)(vm + i); 59552d8924SRichard Henderson AESState t; 60552d8924SRichard Henderson 61552d8924SRichard Henderson /* 62552d8924SRichard Henderson * Our uint64_t are in the wrong order for big-endian. 63552d8924SRichard Henderson * The Arm AddRoundKey comes first, while the API AddRoundKey 64552d8924SRichard Henderson * comes last: perform the xor here, and provide zero to API. 65552d8924SRichard Henderson */ 66552d8924SRichard Henderson if (HOST_BIG_ENDIAN) { 67552d8924SRichard Henderson t.d[0] = st->d[1] ^ rk->d[1]; 68552d8924SRichard Henderson t.d[1] = st->d[0] ^ rk->d[0]; 69552d8924SRichard Henderson aesenc_SB_SR_AK(&t, &t, &aes_zero, false); 70552d8924SRichard Henderson ad->d[0] = t.d[1]; 71552d8924SRichard Henderson ad->d[1] = t.d[0]; 72552d8924SRichard Henderson } else { 73552d8924SRichard Henderson t.v = st->v ^ rk->v; 74552d8924SRichard Henderson aesenc_SB_SR_AK(ad, &t, &aes_zero, false); 75552d8924SRichard Henderson } 76a04b68e1SRichard Henderson } 77a04b68e1SRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 78a04b68e1SRichard Henderson } 79a04b68e1SRichard Henderson 800f23908cSRichard Henderson void HELPER(crypto_aesd)(void *vd, void *vn, void *vm, uint32_t desc) 810f23908cSRichard Henderson { 820f23908cSRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 830f23908cSRichard Henderson 840f23908cSRichard Henderson for (i = 0; i < opr_sz; i += 16) { 852a8b545fSRichard Henderson AESState *ad = (AESState *)(vd + i); 862a8b545fSRichard Henderson AESState *st = (AESState *)(vn + i); 872a8b545fSRichard Henderson AESState *rk = (AESState *)(vm + i); 882a8b545fSRichard Henderson AESState t; 892a8b545fSRichard Henderson 902a8b545fSRichard Henderson /* Our uint64_t are in the wrong order for big-endian. */ 912a8b545fSRichard Henderson if (HOST_BIG_ENDIAN) { 922a8b545fSRichard Henderson t.d[0] = st->d[1] ^ rk->d[1]; 932a8b545fSRichard Henderson t.d[1] = st->d[0] ^ rk->d[0]; 942a8b545fSRichard Henderson aesdec_ISB_ISR_AK(&t, &t, &aes_zero, false); 952a8b545fSRichard Henderson ad->d[0] = t.d[1]; 962a8b545fSRichard Henderson ad->d[1] = t.d[0]; 972a8b545fSRichard Henderson } else { 982a8b545fSRichard Henderson t.v = st->v ^ rk->v; 992a8b545fSRichard Henderson aesdec_ISB_ISR_AK(ad, &t, &aes_zero, false); 1002a8b545fSRichard Henderson } 1010f23908cSRichard Henderson } 1020f23908cSRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 1030f23908cSRichard Henderson } 1040f23908cSRichard Henderson 1050f23908cSRichard Henderson static void do_crypto_aesmc(uint64_t *rd, uint64_t *rm, const uint32_t *mc) 1069d935509SArd Biesheuvel { 1071a66ac61SRichard Henderson union CRYPTO_STATE st = { .l = { rm[0], rm[1] } }; 1089d935509SArd Biesheuvel int i; 1099d935509SArd Biesheuvel 1109d935509SArd Biesheuvel for (i = 0; i < 16; i += 4) { 111b449ca3cSArd Biesheuvel CR_ST_WORD(st, i >> 2) = 112fb250c59SRichard Henderson mc[CR_ST_BYTE(st, i)] ^ 113fb250c59SRichard Henderson rol32(mc[CR_ST_BYTE(st, i + 1)], 8) ^ 114fb250c59SRichard Henderson rol32(mc[CR_ST_BYTE(st, i + 2)], 16) ^ 115fb250c59SRichard Henderson rol32(mc[CR_ST_BYTE(st, i + 3)], 24); 1169d935509SArd Biesheuvel } 1179d935509SArd Biesheuvel 1181a66ac61SRichard Henderson rd[0] = st.l[0]; 1191a66ac61SRichard Henderson rd[1] = st.l[1]; 1209d935509SArd Biesheuvel } 121f1ecb913SArd Biesheuvel 122a04b68e1SRichard Henderson void HELPER(crypto_aesmc)(void *vd, void *vm, uint32_t desc) 123a04b68e1SRichard Henderson { 124a04b68e1SRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 125a04b68e1SRichard Henderson 126a04b68e1SRichard Henderson for (i = 0; i < opr_sz; i += 16) { 127*8b103ed7SRichard Henderson AESState *ad = (AESState *)(vd + i); 128*8b103ed7SRichard Henderson AESState *st = (AESState *)(vm + i); 129*8b103ed7SRichard Henderson AESState t; 130*8b103ed7SRichard Henderson 131*8b103ed7SRichard Henderson /* Our uint64_t are in the wrong order for big-endian. */ 132*8b103ed7SRichard Henderson if (HOST_BIG_ENDIAN) { 133*8b103ed7SRichard Henderson t.d[0] = st->d[1]; 134*8b103ed7SRichard Henderson t.d[1] = st->d[0]; 135*8b103ed7SRichard Henderson aesenc_MC(&t, &t, false); 136*8b103ed7SRichard Henderson ad->d[0] = t.d[1]; 137*8b103ed7SRichard Henderson ad->d[1] = t.d[0]; 138*8b103ed7SRichard Henderson } else { 139*8b103ed7SRichard Henderson aesenc_MC(ad, st, false); 140*8b103ed7SRichard Henderson } 1410f23908cSRichard Henderson } 1420f23908cSRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 1430f23908cSRichard Henderson } 1440f23908cSRichard Henderson 1450f23908cSRichard Henderson void HELPER(crypto_aesimc)(void *vd, void *vm, uint32_t desc) 1460f23908cSRichard Henderson { 1470f23908cSRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 1480f23908cSRichard Henderson 1490f23908cSRichard Henderson for (i = 0; i < opr_sz; i += 16) { 1500f23908cSRichard Henderson do_crypto_aesmc(vd + i, vm + i, AES_imc_rot); 151a04b68e1SRichard Henderson } 152a04b68e1SRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 153a04b68e1SRichard Henderson } 154a04b68e1SRichard Henderson 155f1ecb913SArd Biesheuvel /* 156f1ecb913SArd Biesheuvel * SHA-1 logical functions 157f1ecb913SArd Biesheuvel */ 158f1ecb913SArd Biesheuvel 159f1ecb913SArd Biesheuvel static uint32_t cho(uint32_t x, uint32_t y, uint32_t z) 160f1ecb913SArd Biesheuvel { 161f1ecb913SArd Biesheuvel return (x & (y ^ z)) ^ z; 162f1ecb913SArd Biesheuvel } 163f1ecb913SArd Biesheuvel 164f1ecb913SArd Biesheuvel static uint32_t par(uint32_t x, uint32_t y, uint32_t z) 165f1ecb913SArd Biesheuvel { 166f1ecb913SArd Biesheuvel return x ^ y ^ z; 167f1ecb913SArd Biesheuvel } 168f1ecb913SArd Biesheuvel 169f1ecb913SArd Biesheuvel static uint32_t maj(uint32_t x, uint32_t y, uint32_t z) 170f1ecb913SArd Biesheuvel { 171f1ecb913SArd Biesheuvel return (x & y) | ((x | y) & z); 172f1ecb913SArd Biesheuvel } 173f1ecb913SArd Biesheuvel 174afc8b7d3SRichard Henderson void HELPER(crypto_sha1su0)(void *vd, void *vn, void *vm, uint32_t desc) 175f1ecb913SArd Biesheuvel { 176afc8b7d3SRichard Henderson uint64_t *d = vd, *n = vn, *m = vm; 177afc8b7d3SRichard Henderson uint64_t d0, d1; 178afc8b7d3SRichard Henderson 179afc8b7d3SRichard Henderson d0 = d[1] ^ d[0] ^ m[0]; 180afc8b7d3SRichard Henderson d1 = n[0] ^ d[1] ^ m[1]; 181afc8b7d3SRichard Henderson d[0] = d0; 182afc8b7d3SRichard Henderson d[1] = d1; 183afc8b7d3SRichard Henderson 184afc8b7d3SRichard Henderson clear_tail_16(vd, desc); 185afc8b7d3SRichard Henderson } 186afc8b7d3SRichard Henderson 187afc8b7d3SRichard Henderson static inline void crypto_sha1_3reg(uint64_t *rd, uint64_t *rn, 188afc8b7d3SRichard Henderson uint64_t *rm, uint32_t desc, 189afc8b7d3SRichard Henderson uint32_t (*fn)(union CRYPTO_STATE *d)) 190afc8b7d3SRichard Henderson { 1911a66ac61SRichard Henderson union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 1921a66ac61SRichard Henderson union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 1931a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 194f1ecb913SArd Biesheuvel int i; 195f1ecb913SArd Biesheuvel 196f1ecb913SArd Biesheuvel for (i = 0; i < 4; i++) { 197afc8b7d3SRichard Henderson uint32_t t = fn(&d); 198f1ecb913SArd Biesheuvel 199b449ca3cSArd Biesheuvel t += rol32(CR_ST_WORD(d, 0), 5) + CR_ST_WORD(n, 0) 200b449ca3cSArd Biesheuvel + CR_ST_WORD(m, i); 201f1ecb913SArd Biesheuvel 202b449ca3cSArd Biesheuvel CR_ST_WORD(n, 0) = CR_ST_WORD(d, 3); 203b449ca3cSArd Biesheuvel CR_ST_WORD(d, 3) = CR_ST_WORD(d, 2); 204b449ca3cSArd Biesheuvel CR_ST_WORD(d, 2) = ror32(CR_ST_WORD(d, 1), 2); 205b449ca3cSArd Biesheuvel CR_ST_WORD(d, 1) = CR_ST_WORD(d, 0); 206b449ca3cSArd Biesheuvel CR_ST_WORD(d, 0) = t; 207f1ecb913SArd Biesheuvel } 2081a66ac61SRichard Henderson rd[0] = d.l[0]; 2091a66ac61SRichard Henderson rd[1] = d.l[1]; 210afc8b7d3SRichard Henderson 211afc8b7d3SRichard Henderson clear_tail_16(rd, desc); 212afc8b7d3SRichard Henderson } 213afc8b7d3SRichard Henderson 214afc8b7d3SRichard Henderson static uint32_t do_sha1c(union CRYPTO_STATE *d) 215afc8b7d3SRichard Henderson { 216afc8b7d3SRichard Henderson return cho(CR_ST_WORD(*d, 1), CR_ST_WORD(*d, 2), CR_ST_WORD(*d, 3)); 217afc8b7d3SRichard Henderson } 218afc8b7d3SRichard Henderson 219afc8b7d3SRichard Henderson void HELPER(crypto_sha1c)(void *vd, void *vn, void *vm, uint32_t desc) 220afc8b7d3SRichard Henderson { 221afc8b7d3SRichard Henderson crypto_sha1_3reg(vd, vn, vm, desc, do_sha1c); 222afc8b7d3SRichard Henderson } 223afc8b7d3SRichard Henderson 224afc8b7d3SRichard Henderson static uint32_t do_sha1p(union CRYPTO_STATE *d) 225afc8b7d3SRichard Henderson { 226afc8b7d3SRichard Henderson return par(CR_ST_WORD(*d, 1), CR_ST_WORD(*d, 2), CR_ST_WORD(*d, 3)); 227afc8b7d3SRichard Henderson } 228afc8b7d3SRichard Henderson 229afc8b7d3SRichard Henderson void HELPER(crypto_sha1p)(void *vd, void *vn, void *vm, uint32_t desc) 230afc8b7d3SRichard Henderson { 231afc8b7d3SRichard Henderson crypto_sha1_3reg(vd, vn, vm, desc, do_sha1p); 232afc8b7d3SRichard Henderson } 233afc8b7d3SRichard Henderson 234afc8b7d3SRichard Henderson static uint32_t do_sha1m(union CRYPTO_STATE *d) 235afc8b7d3SRichard Henderson { 236afc8b7d3SRichard Henderson return maj(CR_ST_WORD(*d, 1), CR_ST_WORD(*d, 2), CR_ST_WORD(*d, 3)); 237afc8b7d3SRichard Henderson } 238afc8b7d3SRichard Henderson 239afc8b7d3SRichard Henderson void HELPER(crypto_sha1m)(void *vd, void *vn, void *vm, uint32_t desc) 240afc8b7d3SRichard Henderson { 241afc8b7d3SRichard Henderson crypto_sha1_3reg(vd, vn, vm, desc, do_sha1m); 242f1ecb913SArd Biesheuvel } 243f1ecb913SArd Biesheuvel 244effa992fSRichard Henderson void HELPER(crypto_sha1h)(void *vd, void *vm, uint32_t desc) 245f1ecb913SArd Biesheuvel { 2461a66ac61SRichard Henderson uint64_t *rd = vd; 2471a66ac61SRichard Henderson uint64_t *rm = vm; 2481a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 249f1ecb913SArd Biesheuvel 250b449ca3cSArd Biesheuvel CR_ST_WORD(m, 0) = ror32(CR_ST_WORD(m, 0), 2); 251b449ca3cSArd Biesheuvel CR_ST_WORD(m, 1) = CR_ST_WORD(m, 2) = CR_ST_WORD(m, 3) = 0; 252f1ecb913SArd Biesheuvel 2531a66ac61SRichard Henderson rd[0] = m.l[0]; 2541a66ac61SRichard Henderson rd[1] = m.l[1]; 255effa992fSRichard Henderson 256effa992fSRichard Henderson clear_tail_16(vd, desc); 257f1ecb913SArd Biesheuvel } 258f1ecb913SArd Biesheuvel 259effa992fSRichard Henderson void HELPER(crypto_sha1su1)(void *vd, void *vm, uint32_t desc) 260f1ecb913SArd Biesheuvel { 2611a66ac61SRichard Henderson uint64_t *rd = vd; 2621a66ac61SRichard Henderson uint64_t *rm = vm; 2631a66ac61SRichard Henderson union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 2641a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 265f1ecb913SArd Biesheuvel 266b449ca3cSArd Biesheuvel CR_ST_WORD(d, 0) = rol32(CR_ST_WORD(d, 0) ^ CR_ST_WORD(m, 1), 1); 267b449ca3cSArd Biesheuvel CR_ST_WORD(d, 1) = rol32(CR_ST_WORD(d, 1) ^ CR_ST_WORD(m, 2), 1); 268b449ca3cSArd Biesheuvel CR_ST_WORD(d, 2) = rol32(CR_ST_WORD(d, 2) ^ CR_ST_WORD(m, 3), 1); 269b449ca3cSArd Biesheuvel CR_ST_WORD(d, 3) = rol32(CR_ST_WORD(d, 3) ^ CR_ST_WORD(d, 0), 1); 270f1ecb913SArd Biesheuvel 2711a66ac61SRichard Henderson rd[0] = d.l[0]; 2721a66ac61SRichard Henderson rd[1] = d.l[1]; 273effa992fSRichard Henderson 274effa992fSRichard Henderson clear_tail_16(vd, desc); 275f1ecb913SArd Biesheuvel } 276f1ecb913SArd Biesheuvel 277f1ecb913SArd Biesheuvel /* 278f1ecb913SArd Biesheuvel * The SHA-256 logical functions, according to 279f1ecb913SArd Biesheuvel * http://csrc.nist.gov/groups/STM/cavp/documents/shs/sha256-384-512.pdf 280f1ecb913SArd Biesheuvel */ 281f1ecb913SArd Biesheuvel 282f1ecb913SArd Biesheuvel static uint32_t S0(uint32_t x) 283f1ecb913SArd Biesheuvel { 284f1ecb913SArd Biesheuvel return ror32(x, 2) ^ ror32(x, 13) ^ ror32(x, 22); 285f1ecb913SArd Biesheuvel } 286f1ecb913SArd Biesheuvel 287f1ecb913SArd Biesheuvel static uint32_t S1(uint32_t x) 288f1ecb913SArd Biesheuvel { 289f1ecb913SArd Biesheuvel return ror32(x, 6) ^ ror32(x, 11) ^ ror32(x, 25); 290f1ecb913SArd Biesheuvel } 291f1ecb913SArd Biesheuvel 292f1ecb913SArd Biesheuvel static uint32_t s0(uint32_t x) 293f1ecb913SArd Biesheuvel { 294f1ecb913SArd Biesheuvel return ror32(x, 7) ^ ror32(x, 18) ^ (x >> 3); 295f1ecb913SArd Biesheuvel } 296f1ecb913SArd Biesheuvel 297f1ecb913SArd Biesheuvel static uint32_t s1(uint32_t x) 298f1ecb913SArd Biesheuvel { 299f1ecb913SArd Biesheuvel return ror32(x, 17) ^ ror32(x, 19) ^ (x >> 10); 300f1ecb913SArd Biesheuvel } 301f1ecb913SArd Biesheuvel 302effa992fSRichard Henderson void HELPER(crypto_sha256h)(void *vd, void *vn, void *vm, uint32_t desc) 303f1ecb913SArd Biesheuvel { 3041a66ac61SRichard Henderson uint64_t *rd = vd; 3051a66ac61SRichard Henderson uint64_t *rn = vn; 3061a66ac61SRichard Henderson uint64_t *rm = vm; 3071a66ac61SRichard Henderson union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 3081a66ac61SRichard Henderson union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 3091a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 310f1ecb913SArd Biesheuvel int i; 311f1ecb913SArd Biesheuvel 312f1ecb913SArd Biesheuvel for (i = 0; i < 4; i++) { 313b449ca3cSArd Biesheuvel uint32_t t = cho(CR_ST_WORD(n, 0), CR_ST_WORD(n, 1), CR_ST_WORD(n, 2)) 314b449ca3cSArd Biesheuvel + CR_ST_WORD(n, 3) + S1(CR_ST_WORD(n, 0)) 315b449ca3cSArd Biesheuvel + CR_ST_WORD(m, i); 316f1ecb913SArd Biesheuvel 317b449ca3cSArd Biesheuvel CR_ST_WORD(n, 3) = CR_ST_WORD(n, 2); 318b449ca3cSArd Biesheuvel CR_ST_WORD(n, 2) = CR_ST_WORD(n, 1); 319b449ca3cSArd Biesheuvel CR_ST_WORD(n, 1) = CR_ST_WORD(n, 0); 320b449ca3cSArd Biesheuvel CR_ST_WORD(n, 0) = CR_ST_WORD(d, 3) + t; 321f1ecb913SArd Biesheuvel 322b449ca3cSArd Biesheuvel t += maj(CR_ST_WORD(d, 0), CR_ST_WORD(d, 1), CR_ST_WORD(d, 2)) 323b449ca3cSArd Biesheuvel + S0(CR_ST_WORD(d, 0)); 324f1ecb913SArd Biesheuvel 325b449ca3cSArd Biesheuvel CR_ST_WORD(d, 3) = CR_ST_WORD(d, 2); 326b449ca3cSArd Biesheuvel CR_ST_WORD(d, 2) = CR_ST_WORD(d, 1); 327b449ca3cSArd Biesheuvel CR_ST_WORD(d, 1) = CR_ST_WORD(d, 0); 328b449ca3cSArd Biesheuvel CR_ST_WORD(d, 0) = t; 329f1ecb913SArd Biesheuvel } 330f1ecb913SArd Biesheuvel 3311a66ac61SRichard Henderson rd[0] = d.l[0]; 3321a66ac61SRichard Henderson rd[1] = d.l[1]; 333effa992fSRichard Henderson 334effa992fSRichard Henderson clear_tail_16(vd, desc); 335f1ecb913SArd Biesheuvel } 336f1ecb913SArd Biesheuvel 337effa992fSRichard Henderson void HELPER(crypto_sha256h2)(void *vd, void *vn, void *vm, uint32_t desc) 338f1ecb913SArd Biesheuvel { 3391a66ac61SRichard Henderson uint64_t *rd = vd; 3401a66ac61SRichard Henderson uint64_t *rn = vn; 3411a66ac61SRichard Henderson uint64_t *rm = vm; 3421a66ac61SRichard Henderson union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 3431a66ac61SRichard Henderson union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 3441a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 345f1ecb913SArd Biesheuvel int i; 346f1ecb913SArd Biesheuvel 347f1ecb913SArd Biesheuvel for (i = 0; i < 4; i++) { 348b449ca3cSArd Biesheuvel uint32_t t = cho(CR_ST_WORD(d, 0), CR_ST_WORD(d, 1), CR_ST_WORD(d, 2)) 349b449ca3cSArd Biesheuvel + CR_ST_WORD(d, 3) + S1(CR_ST_WORD(d, 0)) 350b449ca3cSArd Biesheuvel + CR_ST_WORD(m, i); 351f1ecb913SArd Biesheuvel 352b449ca3cSArd Biesheuvel CR_ST_WORD(d, 3) = CR_ST_WORD(d, 2); 353b449ca3cSArd Biesheuvel CR_ST_WORD(d, 2) = CR_ST_WORD(d, 1); 354b449ca3cSArd Biesheuvel CR_ST_WORD(d, 1) = CR_ST_WORD(d, 0); 355b449ca3cSArd Biesheuvel CR_ST_WORD(d, 0) = CR_ST_WORD(n, 3 - i) + t; 356f1ecb913SArd Biesheuvel } 357f1ecb913SArd Biesheuvel 3581a66ac61SRichard Henderson rd[0] = d.l[0]; 3591a66ac61SRichard Henderson rd[1] = d.l[1]; 360effa992fSRichard Henderson 361effa992fSRichard Henderson clear_tail_16(vd, desc); 362f1ecb913SArd Biesheuvel } 363f1ecb913SArd Biesheuvel 364effa992fSRichard Henderson void HELPER(crypto_sha256su0)(void *vd, void *vm, uint32_t desc) 365f1ecb913SArd Biesheuvel { 3661a66ac61SRichard Henderson uint64_t *rd = vd; 3671a66ac61SRichard Henderson uint64_t *rm = vm; 3681a66ac61SRichard Henderson union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 3691a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 370f1ecb913SArd Biesheuvel 371b449ca3cSArd Biesheuvel CR_ST_WORD(d, 0) += s0(CR_ST_WORD(d, 1)); 372b449ca3cSArd Biesheuvel CR_ST_WORD(d, 1) += s0(CR_ST_WORD(d, 2)); 373b449ca3cSArd Biesheuvel CR_ST_WORD(d, 2) += s0(CR_ST_WORD(d, 3)); 374b449ca3cSArd Biesheuvel CR_ST_WORD(d, 3) += s0(CR_ST_WORD(m, 0)); 375f1ecb913SArd Biesheuvel 3761a66ac61SRichard Henderson rd[0] = d.l[0]; 3771a66ac61SRichard Henderson rd[1] = d.l[1]; 378effa992fSRichard Henderson 379effa992fSRichard Henderson clear_tail_16(vd, desc); 380f1ecb913SArd Biesheuvel } 381f1ecb913SArd Biesheuvel 382effa992fSRichard Henderson void HELPER(crypto_sha256su1)(void *vd, void *vn, void *vm, uint32_t desc) 383f1ecb913SArd Biesheuvel { 3841a66ac61SRichard Henderson uint64_t *rd = vd; 3851a66ac61SRichard Henderson uint64_t *rn = vn; 3861a66ac61SRichard Henderson uint64_t *rm = vm; 3871a66ac61SRichard Henderson union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 3881a66ac61SRichard Henderson union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 3891a66ac61SRichard Henderson union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 390f1ecb913SArd Biesheuvel 391b449ca3cSArd Biesheuvel CR_ST_WORD(d, 0) += s1(CR_ST_WORD(m, 2)) + CR_ST_WORD(n, 1); 392b449ca3cSArd Biesheuvel CR_ST_WORD(d, 1) += s1(CR_ST_WORD(m, 3)) + CR_ST_WORD(n, 2); 393b449ca3cSArd Biesheuvel CR_ST_WORD(d, 2) += s1(CR_ST_WORD(d, 0)) + CR_ST_WORD(n, 3); 394b449ca3cSArd Biesheuvel CR_ST_WORD(d, 3) += s1(CR_ST_WORD(d, 1)) + CR_ST_WORD(m, 0); 395f1ecb913SArd Biesheuvel 3961a66ac61SRichard Henderson rd[0] = d.l[0]; 3971a66ac61SRichard Henderson rd[1] = d.l[1]; 398effa992fSRichard Henderson 399effa992fSRichard Henderson clear_tail_16(vd, desc); 400f1ecb913SArd Biesheuvel } 40190b827d1SArd Biesheuvel 40290b827d1SArd Biesheuvel /* 40390b827d1SArd Biesheuvel * The SHA-512 logical functions (same as above but using 64-bit operands) 40490b827d1SArd Biesheuvel */ 40590b827d1SArd Biesheuvel 40690b827d1SArd Biesheuvel static uint64_t cho512(uint64_t x, uint64_t y, uint64_t z) 40790b827d1SArd Biesheuvel { 40890b827d1SArd Biesheuvel return (x & (y ^ z)) ^ z; 40990b827d1SArd Biesheuvel } 41090b827d1SArd Biesheuvel 41190b827d1SArd Biesheuvel static uint64_t maj512(uint64_t x, uint64_t y, uint64_t z) 41290b827d1SArd Biesheuvel { 41390b827d1SArd Biesheuvel return (x & y) | ((x | y) & z); 41490b827d1SArd Biesheuvel } 41590b827d1SArd Biesheuvel 41690b827d1SArd Biesheuvel static uint64_t S0_512(uint64_t x) 41790b827d1SArd Biesheuvel { 41890b827d1SArd Biesheuvel return ror64(x, 28) ^ ror64(x, 34) ^ ror64(x, 39); 41990b827d1SArd Biesheuvel } 42090b827d1SArd Biesheuvel 42190b827d1SArd Biesheuvel static uint64_t S1_512(uint64_t x) 42290b827d1SArd Biesheuvel { 42390b827d1SArd Biesheuvel return ror64(x, 14) ^ ror64(x, 18) ^ ror64(x, 41); 42490b827d1SArd Biesheuvel } 42590b827d1SArd Biesheuvel 42690b827d1SArd Biesheuvel static uint64_t s0_512(uint64_t x) 42790b827d1SArd Biesheuvel { 42890b827d1SArd Biesheuvel return ror64(x, 1) ^ ror64(x, 8) ^ (x >> 7); 42990b827d1SArd Biesheuvel } 43090b827d1SArd Biesheuvel 43190b827d1SArd Biesheuvel static uint64_t s1_512(uint64_t x) 43290b827d1SArd Biesheuvel { 43390b827d1SArd Biesheuvel return ror64(x, 19) ^ ror64(x, 61) ^ (x >> 6); 43490b827d1SArd Biesheuvel } 43590b827d1SArd Biesheuvel 436aaffebd6SRichard Henderson void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm, uint32_t desc) 43790b827d1SArd Biesheuvel { 43890b827d1SArd Biesheuvel uint64_t *rd = vd; 43990b827d1SArd Biesheuvel uint64_t *rn = vn; 44090b827d1SArd Biesheuvel uint64_t *rm = vm; 44190b827d1SArd Biesheuvel uint64_t d0 = rd[0]; 44290b827d1SArd Biesheuvel uint64_t d1 = rd[1]; 44390b827d1SArd Biesheuvel 44490b827d1SArd Biesheuvel d1 += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]); 44590b827d1SArd Biesheuvel d0 += S1_512(d1 + rm[0]) + cho512(d1 + rm[0], rm[1], rn[0]); 44690b827d1SArd Biesheuvel 44790b827d1SArd Biesheuvel rd[0] = d0; 44890b827d1SArd Biesheuvel rd[1] = d1; 449aaffebd6SRichard Henderson 450aaffebd6SRichard Henderson clear_tail_16(vd, desc); 45190b827d1SArd Biesheuvel } 45290b827d1SArd Biesheuvel 453aaffebd6SRichard Henderson void HELPER(crypto_sha512h2)(void *vd, void *vn, void *vm, uint32_t desc) 45490b827d1SArd Biesheuvel { 45590b827d1SArd Biesheuvel uint64_t *rd = vd; 45690b827d1SArd Biesheuvel uint64_t *rn = vn; 45790b827d1SArd Biesheuvel uint64_t *rm = vm; 45890b827d1SArd Biesheuvel uint64_t d0 = rd[0]; 45990b827d1SArd Biesheuvel uint64_t d1 = rd[1]; 46090b827d1SArd Biesheuvel 46190b827d1SArd Biesheuvel d1 += S0_512(rm[0]) + maj512(rn[0], rm[1], rm[0]); 46290b827d1SArd Biesheuvel d0 += S0_512(d1) + maj512(d1, rm[0], rm[1]); 46390b827d1SArd Biesheuvel 46490b827d1SArd Biesheuvel rd[0] = d0; 46590b827d1SArd Biesheuvel rd[1] = d1; 466aaffebd6SRichard Henderson 467aaffebd6SRichard Henderson clear_tail_16(vd, desc); 46890b827d1SArd Biesheuvel } 46990b827d1SArd Biesheuvel 470aaffebd6SRichard Henderson void HELPER(crypto_sha512su0)(void *vd, void *vn, uint32_t desc) 47190b827d1SArd Biesheuvel { 47290b827d1SArd Biesheuvel uint64_t *rd = vd; 47390b827d1SArd Biesheuvel uint64_t *rn = vn; 47490b827d1SArd Biesheuvel uint64_t d0 = rd[0]; 47590b827d1SArd Biesheuvel uint64_t d1 = rd[1]; 47690b827d1SArd Biesheuvel 47790b827d1SArd Biesheuvel d0 += s0_512(rd[1]); 47890b827d1SArd Biesheuvel d1 += s0_512(rn[0]); 47990b827d1SArd Biesheuvel 48090b827d1SArd Biesheuvel rd[0] = d0; 48190b827d1SArd Biesheuvel rd[1] = d1; 482aaffebd6SRichard Henderson 483aaffebd6SRichard Henderson clear_tail_16(vd, desc); 48490b827d1SArd Biesheuvel } 48590b827d1SArd Biesheuvel 486aaffebd6SRichard Henderson void HELPER(crypto_sha512su1)(void *vd, void *vn, void *vm, uint32_t desc) 48790b827d1SArd Biesheuvel { 48890b827d1SArd Biesheuvel uint64_t *rd = vd; 48990b827d1SArd Biesheuvel uint64_t *rn = vn; 49090b827d1SArd Biesheuvel uint64_t *rm = vm; 49190b827d1SArd Biesheuvel 49290b827d1SArd Biesheuvel rd[0] += s1_512(rn[0]) + rm[0]; 49390b827d1SArd Biesheuvel rd[1] += s1_512(rn[1]) + rm[1]; 494aaffebd6SRichard Henderson 495aaffebd6SRichard Henderson clear_tail_16(vd, desc); 49690b827d1SArd Biesheuvel } 49780d6f4c6SArd Biesheuvel 498aaffebd6SRichard Henderson void HELPER(crypto_sm3partw1)(void *vd, void *vn, void *vm, uint32_t desc) 49980d6f4c6SArd Biesheuvel { 50080d6f4c6SArd Biesheuvel uint64_t *rd = vd; 50180d6f4c6SArd Biesheuvel uint64_t *rn = vn; 50280d6f4c6SArd Biesheuvel uint64_t *rm = vm; 50380d6f4c6SArd Biesheuvel union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 50480d6f4c6SArd Biesheuvel union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 50580d6f4c6SArd Biesheuvel union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 50680d6f4c6SArd Biesheuvel uint32_t t; 50780d6f4c6SArd Biesheuvel 50880d6f4c6SArd Biesheuvel t = CR_ST_WORD(d, 0) ^ CR_ST_WORD(n, 0) ^ ror32(CR_ST_WORD(m, 1), 17); 50980d6f4c6SArd Biesheuvel CR_ST_WORD(d, 0) = t ^ ror32(t, 17) ^ ror32(t, 9); 51080d6f4c6SArd Biesheuvel 51180d6f4c6SArd Biesheuvel t = CR_ST_WORD(d, 1) ^ CR_ST_WORD(n, 1) ^ ror32(CR_ST_WORD(m, 2), 17); 51280d6f4c6SArd Biesheuvel CR_ST_WORD(d, 1) = t ^ ror32(t, 17) ^ ror32(t, 9); 51380d6f4c6SArd Biesheuvel 51480d6f4c6SArd Biesheuvel t = CR_ST_WORD(d, 2) ^ CR_ST_WORD(n, 2) ^ ror32(CR_ST_WORD(m, 3), 17); 51580d6f4c6SArd Biesheuvel CR_ST_WORD(d, 2) = t ^ ror32(t, 17) ^ ror32(t, 9); 51680d6f4c6SArd Biesheuvel 51780d6f4c6SArd Biesheuvel t = CR_ST_WORD(d, 3) ^ CR_ST_WORD(n, 3) ^ ror32(CR_ST_WORD(d, 0), 17); 51880d6f4c6SArd Biesheuvel CR_ST_WORD(d, 3) = t ^ ror32(t, 17) ^ ror32(t, 9); 51980d6f4c6SArd Biesheuvel 52080d6f4c6SArd Biesheuvel rd[0] = d.l[0]; 52180d6f4c6SArd Biesheuvel rd[1] = d.l[1]; 522aaffebd6SRichard Henderson 523aaffebd6SRichard Henderson clear_tail_16(vd, desc); 52480d6f4c6SArd Biesheuvel } 52580d6f4c6SArd Biesheuvel 526aaffebd6SRichard Henderson void HELPER(crypto_sm3partw2)(void *vd, void *vn, void *vm, uint32_t desc) 52780d6f4c6SArd Biesheuvel { 52880d6f4c6SArd Biesheuvel uint64_t *rd = vd; 52980d6f4c6SArd Biesheuvel uint64_t *rn = vn; 53080d6f4c6SArd Biesheuvel uint64_t *rm = vm; 53180d6f4c6SArd Biesheuvel union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 53280d6f4c6SArd Biesheuvel union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 53380d6f4c6SArd Biesheuvel union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 53480d6f4c6SArd Biesheuvel uint32_t t = CR_ST_WORD(n, 0) ^ ror32(CR_ST_WORD(m, 0), 25); 53580d6f4c6SArd Biesheuvel 53680d6f4c6SArd Biesheuvel CR_ST_WORD(d, 0) ^= t; 53780d6f4c6SArd Biesheuvel CR_ST_WORD(d, 1) ^= CR_ST_WORD(n, 1) ^ ror32(CR_ST_WORD(m, 1), 25); 53880d6f4c6SArd Biesheuvel CR_ST_WORD(d, 2) ^= CR_ST_WORD(n, 2) ^ ror32(CR_ST_WORD(m, 2), 25); 53980d6f4c6SArd Biesheuvel CR_ST_WORD(d, 3) ^= CR_ST_WORD(n, 3) ^ ror32(CR_ST_WORD(m, 3), 25) ^ 54080d6f4c6SArd Biesheuvel ror32(t, 17) ^ ror32(t, 2) ^ ror32(t, 26); 54180d6f4c6SArd Biesheuvel 54280d6f4c6SArd Biesheuvel rd[0] = d.l[0]; 54380d6f4c6SArd Biesheuvel rd[1] = d.l[1]; 544aaffebd6SRichard Henderson 545aaffebd6SRichard Henderson clear_tail_16(vd, desc); 54680d6f4c6SArd Biesheuvel } 54780d6f4c6SArd Biesheuvel 54843fa36c9SRichard Henderson static inline void QEMU_ALWAYS_INLINE 54943fa36c9SRichard Henderson crypto_sm3tt(uint64_t *rd, uint64_t *rn, uint64_t *rm, 55043fa36c9SRichard Henderson uint32_t desc, uint32_t opcode) 55180d6f4c6SArd Biesheuvel { 55280d6f4c6SArd Biesheuvel union CRYPTO_STATE d = { .l = { rd[0], rd[1] } }; 55380d6f4c6SArd Biesheuvel union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 55480d6f4c6SArd Biesheuvel union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 55543fa36c9SRichard Henderson uint32_t imm2 = simd_data(desc); 55680d6f4c6SArd Biesheuvel uint32_t t; 55780d6f4c6SArd Biesheuvel 55880d6f4c6SArd Biesheuvel assert(imm2 < 4); 55980d6f4c6SArd Biesheuvel 56080d6f4c6SArd Biesheuvel if (opcode == 0 || opcode == 2) { 56180d6f4c6SArd Biesheuvel /* SM3TT1A, SM3TT2A */ 56280d6f4c6SArd Biesheuvel t = par(CR_ST_WORD(d, 3), CR_ST_WORD(d, 2), CR_ST_WORD(d, 1)); 56380d6f4c6SArd Biesheuvel } else if (opcode == 1) { 56480d6f4c6SArd Biesheuvel /* SM3TT1B */ 56580d6f4c6SArd Biesheuvel t = maj(CR_ST_WORD(d, 3), CR_ST_WORD(d, 2), CR_ST_WORD(d, 1)); 56680d6f4c6SArd Biesheuvel } else if (opcode == 3) { 56780d6f4c6SArd Biesheuvel /* SM3TT2B */ 56880d6f4c6SArd Biesheuvel t = cho(CR_ST_WORD(d, 3), CR_ST_WORD(d, 2), CR_ST_WORD(d, 1)); 56980d6f4c6SArd Biesheuvel } else { 57043fa36c9SRichard Henderson qemu_build_not_reached(); 57180d6f4c6SArd Biesheuvel } 57280d6f4c6SArd Biesheuvel 57380d6f4c6SArd Biesheuvel t += CR_ST_WORD(d, 0) + CR_ST_WORD(m, imm2); 57480d6f4c6SArd Biesheuvel 57580d6f4c6SArd Biesheuvel CR_ST_WORD(d, 0) = CR_ST_WORD(d, 1); 57680d6f4c6SArd Biesheuvel 57780d6f4c6SArd Biesheuvel if (opcode < 2) { 57880d6f4c6SArd Biesheuvel /* SM3TT1A, SM3TT1B */ 57980d6f4c6SArd Biesheuvel t += CR_ST_WORD(n, 3) ^ ror32(CR_ST_WORD(d, 3), 20); 58080d6f4c6SArd Biesheuvel 58180d6f4c6SArd Biesheuvel CR_ST_WORD(d, 1) = ror32(CR_ST_WORD(d, 2), 23); 58280d6f4c6SArd Biesheuvel } else { 58380d6f4c6SArd Biesheuvel /* SM3TT2A, SM3TT2B */ 58480d6f4c6SArd Biesheuvel t += CR_ST_WORD(n, 3); 58580d6f4c6SArd Biesheuvel t ^= rol32(t, 9) ^ rol32(t, 17); 58680d6f4c6SArd Biesheuvel 58780d6f4c6SArd Biesheuvel CR_ST_WORD(d, 1) = ror32(CR_ST_WORD(d, 2), 13); 58880d6f4c6SArd Biesheuvel } 58980d6f4c6SArd Biesheuvel 59080d6f4c6SArd Biesheuvel CR_ST_WORD(d, 2) = CR_ST_WORD(d, 3); 59180d6f4c6SArd Biesheuvel CR_ST_WORD(d, 3) = t; 59280d6f4c6SArd Biesheuvel 59380d6f4c6SArd Biesheuvel rd[0] = d.l[0]; 59480d6f4c6SArd Biesheuvel rd[1] = d.l[1]; 59543fa36c9SRichard Henderson 59643fa36c9SRichard Henderson clear_tail_16(rd, desc); 59780d6f4c6SArd Biesheuvel } 598b6577bcdSArd Biesheuvel 59943fa36c9SRichard Henderson #define DO_SM3TT(NAME, OPCODE) \ 60043fa36c9SRichard Henderson void HELPER(NAME)(void *vd, void *vn, void *vm, uint32_t desc) \ 60143fa36c9SRichard Henderson { crypto_sm3tt(vd, vn, vm, desc, OPCODE); } 60243fa36c9SRichard Henderson 60343fa36c9SRichard Henderson DO_SM3TT(crypto_sm3tt1a, 0) 60443fa36c9SRichard Henderson DO_SM3TT(crypto_sm3tt1b, 1) 60543fa36c9SRichard Henderson DO_SM3TT(crypto_sm3tt2a, 2) 60643fa36c9SRichard Henderson DO_SM3TT(crypto_sm3tt2b, 3) 60743fa36c9SRichard Henderson 60843fa36c9SRichard Henderson #undef DO_SM3TT 60943fa36c9SRichard Henderson 610a04b68e1SRichard Henderson static void do_crypto_sm4e(uint64_t *rd, uint64_t *rn, uint64_t *rm) 611b6577bcdSArd Biesheuvel { 612a04b68e1SRichard Henderson union CRYPTO_STATE d = { .l = { rn[0], rn[1] } }; 613a04b68e1SRichard Henderson union CRYPTO_STATE n = { .l = { rm[0], rm[1] } }; 614b6577bcdSArd Biesheuvel uint32_t t, i; 615b6577bcdSArd Biesheuvel 616b6577bcdSArd Biesheuvel for (i = 0; i < 4; i++) { 617b6577bcdSArd Biesheuvel t = CR_ST_WORD(d, (i + 1) % 4) ^ 618b6577bcdSArd Biesheuvel CR_ST_WORD(d, (i + 2) % 4) ^ 619b6577bcdSArd Biesheuvel CR_ST_WORD(d, (i + 3) % 4) ^ 620b6577bcdSArd Biesheuvel CR_ST_WORD(n, i); 621b6577bcdSArd Biesheuvel 622b6577bcdSArd Biesheuvel t = sm4_sbox[t & 0xff] | 623b6577bcdSArd Biesheuvel sm4_sbox[(t >> 8) & 0xff] << 8 | 624b6577bcdSArd Biesheuvel sm4_sbox[(t >> 16) & 0xff] << 16 | 625b6577bcdSArd Biesheuvel sm4_sbox[(t >> 24) & 0xff] << 24; 626b6577bcdSArd Biesheuvel 627b6577bcdSArd Biesheuvel CR_ST_WORD(d, i) ^= t ^ rol32(t, 2) ^ rol32(t, 10) ^ rol32(t, 18) ^ 628b6577bcdSArd Biesheuvel rol32(t, 24); 629b6577bcdSArd Biesheuvel } 630b6577bcdSArd Biesheuvel 631b6577bcdSArd Biesheuvel rd[0] = d.l[0]; 632b6577bcdSArd Biesheuvel rd[1] = d.l[1]; 633b6577bcdSArd Biesheuvel } 634b6577bcdSArd Biesheuvel 635a04b68e1SRichard Henderson void HELPER(crypto_sm4e)(void *vd, void *vn, void *vm, uint32_t desc) 636b6577bcdSArd Biesheuvel { 637a04b68e1SRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 638a04b68e1SRichard Henderson 639a04b68e1SRichard Henderson for (i = 0; i < opr_sz; i += 16) { 640a04b68e1SRichard Henderson do_crypto_sm4e(vd + i, vn + i, vm + i); 641a04b68e1SRichard Henderson } 642a04b68e1SRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 643a04b68e1SRichard Henderson } 644a04b68e1SRichard Henderson 645a04b68e1SRichard Henderson static void do_crypto_sm4ekey(uint64_t *rd, uint64_t *rn, uint64_t *rm) 646a04b68e1SRichard Henderson { 647b6577bcdSArd Biesheuvel union CRYPTO_STATE d; 648b6577bcdSArd Biesheuvel union CRYPTO_STATE n = { .l = { rn[0], rn[1] } }; 649b6577bcdSArd Biesheuvel union CRYPTO_STATE m = { .l = { rm[0], rm[1] } }; 650b6577bcdSArd Biesheuvel uint32_t t, i; 651b6577bcdSArd Biesheuvel 652b6577bcdSArd Biesheuvel d = n; 653b6577bcdSArd Biesheuvel for (i = 0; i < 4; i++) { 654b6577bcdSArd Biesheuvel t = CR_ST_WORD(d, (i + 1) % 4) ^ 655b6577bcdSArd Biesheuvel CR_ST_WORD(d, (i + 2) % 4) ^ 656b6577bcdSArd Biesheuvel CR_ST_WORD(d, (i + 3) % 4) ^ 657b6577bcdSArd Biesheuvel CR_ST_WORD(m, i); 658b6577bcdSArd Biesheuvel 659b6577bcdSArd Biesheuvel t = sm4_sbox[t & 0xff] | 660b6577bcdSArd Biesheuvel sm4_sbox[(t >> 8) & 0xff] << 8 | 661b6577bcdSArd Biesheuvel sm4_sbox[(t >> 16) & 0xff] << 16 | 662b6577bcdSArd Biesheuvel sm4_sbox[(t >> 24) & 0xff] << 24; 663b6577bcdSArd Biesheuvel 664b6577bcdSArd Biesheuvel CR_ST_WORD(d, i) ^= t ^ rol32(t, 13) ^ rol32(t, 23); 665b6577bcdSArd Biesheuvel } 666b6577bcdSArd Biesheuvel 667b6577bcdSArd Biesheuvel rd[0] = d.l[0]; 668b6577bcdSArd Biesheuvel rd[1] = d.l[1]; 669b6577bcdSArd Biesheuvel } 670a04b68e1SRichard Henderson 671a04b68e1SRichard Henderson void HELPER(crypto_sm4ekey)(void *vd, void *vn, void* vm, uint32_t desc) 672a04b68e1SRichard Henderson { 673a04b68e1SRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 674a04b68e1SRichard Henderson 675a04b68e1SRichard Henderson for (i = 0; i < opr_sz; i += 16) { 676a04b68e1SRichard Henderson do_crypto_sm4ekey(vd + i, vn + i, vm + i); 677a04b68e1SRichard Henderson } 678a04b68e1SRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 679a04b68e1SRichard Henderson } 6801738860dSRichard Henderson 6811738860dSRichard Henderson void HELPER(crypto_rax1)(void *vd, void *vn, void *vm, uint32_t desc) 6821738860dSRichard Henderson { 6831738860dSRichard Henderson intptr_t i, opr_sz = simd_oprsz(desc); 6841738860dSRichard Henderson uint64_t *d = vd, *n = vn, *m = vm; 6851738860dSRichard Henderson 6861738860dSRichard Henderson for (i = 0; i < opr_sz / 8; ++i) { 6871738860dSRichard Henderson d[i] = n[i] ^ rol64(m[i], 1); 6881738860dSRichard Henderson } 6891738860dSRichard Henderson clear_tail(vd, opr_sz, simd_maxsz(desc)); 6901738860dSRichard Henderson } 691