1########################################################################
2# Implement fast SHA-512 with SSSE3 instructions. (x86_64)
3#
4# Copyright (C) 2013 Intel Corporation.
5#
6# Authors:
7# James Guilford <james.guilford@intel.com>
8# Kirk Yap <kirk.s.yap@intel.com>
9# David Cote <david.m.cote@intel.com>
10# Tim Chen <tim.c.chen@linux.intel.com>
11#
12# This software is available to you under a choice of one of two
13# licenses. You may choose to be licensed under the terms of the GNU
14# General Public License (GPL) Version 2, available from the file
15# COPYING in the main directory of this source tree, or the
16# OpenIB.org BSD license below:
17#
18# Redistribution and use in source and binary forms, with or
19# without modification, are permitted provided that the following
20# conditions are met:
21#
22# - Redistributions of source code must retain the above
23# copyright notice, this list of conditions and the following
24# disclaimer.
25#
26# - Redistributions in binary form must reproduce the above
27# copyright notice, this list of conditions and the following
28# disclaimer in the documentation and/or other materials
29# provided with the distribution.
30#
31# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
32# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
33# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
34# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
35# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
36# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
37# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
38# SOFTWARE.
39#
40########################################################################
41#
42# This code is described in an Intel White-Paper:
43# "Fast SHA-512 Implementations on Intel Architecture Processors"
44#
45# To find it, surf to http://www.intel.com/p/en_US/embedded
46# and search for that title.
47#
48########################################################################
49
50#include <linux/linkage.h>
51
52.text
53
54# Virtual Registers
55# ARG1
56digest = %rdi
57# ARG2
58msg = %rsi
59# ARG3
60msglen = %rdx
61T1 = %rcx
62T2 = %r8
63a_64 = %r9
64b_64 = %r10
65c_64 = %r11
66d_64 = %r12
67e_64 = %r13
68f_64 = %r14
69g_64 = %r15
70h_64 = %rbx
71tmp0 = %rax
72
73# Local variables (stack frame)
74
75W_SIZE = 80*8
76WK_SIZE = 2*8
77
78frame_W = 0
79frame_WK = frame_W + W_SIZE
80frame_size = frame_WK + WK_SIZE
81
82# Useful QWORD "arrays" for simpler memory references
83# MSG, DIGEST, K_t, W_t are arrays
84# WK_2(t) points to 1 of 2 qwords at frame.WK depending on t being odd/even
85
86# Input message (arg1)
87#define MSG(i) 8*i(msg)
88
89# Output Digest (arg2)
90#define DIGEST(i) 8*i(digest)
91
92# SHA Constants (static mem)
93#define K_t(i) 8*i+K512(%rip)
94
95# Message Schedule (stack frame)
96#define W_t(i) 8*i+frame_W(%rsp)
97
98# W[t]+K[t] (stack frame)
99#define WK_2(i) 8*((i%2))+frame_WK(%rsp)
100
101.macro RotateState
102 # Rotate symbols a..h right
103 TMP = h_64
104 h_64 = g_64
105 g_64 = f_64
106 f_64 = e_64
107 e_64 = d_64
108 d_64 = c_64
109 c_64 = b_64
110 b_64 = a_64
111 a_64 = TMP
112.endm
113
114.macro SHA512_Round rnd
115
116 # Compute Round %%t
117 mov f_64, T1 # T1 = f
118 mov e_64, tmp0 # tmp = e
119 xor g_64, T1 # T1 = f ^ g
120 ror $23, tmp0 # 41 # tmp = e ror 23
121 and e_64, T1 # T1 = (f ^ g) & e
122 xor e_64, tmp0 # tmp = (e ror 23) ^ e
123 xor g_64, T1 # T1 = ((f ^ g) & e) ^ g = CH(e,f,g)
124 idx = \rnd
125 add WK_2(idx), T1 # W[t] + K[t] from message scheduler
126 ror $4, tmp0 # 18 # tmp = ((e ror 23) ^ e) ror 4
127 xor e_64, tmp0 # tmp = (((e ror 23) ^ e) ror 4) ^ e
128 mov a_64, T2 # T2 = a
129 add h_64, T1 # T1 = CH(e,f,g) + W[t] + K[t] + h
130 ror $14, tmp0 # 14 # tmp = ((((e ror23)^e)ror4)^e)ror14 = S1(e)
131 add tmp0, T1 # T1 = CH(e,f,g) + W[t] + K[t] + S1(e)
132 mov a_64, tmp0 # tmp = a
133 xor c_64, T2 # T2 = a ^ c
134 and c_64, tmp0 # tmp = a & c
135 and b_64, T2 # T2 = (a ^ c) & b
136 xor tmp0, T2 # T2 = ((a ^ c) & b) ^ (a & c) = Maj(a,b,c)
137 mov a_64, tmp0 # tmp = a
138 ror $5, tmp0 # 39 # tmp = a ror 5
139 xor a_64, tmp0 # tmp = (a ror 5) ^ a
140 add T1, d_64 # e(next_state) = d + T1
141 ror $6, tmp0 # 34 # tmp = ((a ror 5) ^ a) ror 6
142 xor a_64, tmp0 # tmp = (((a ror 5) ^ a) ror 6) ^ a
143 lea (T1, T2), h_64 # a(next_state) = T1 + Maj(a,b,c)
144 ror $28, tmp0 # 28 # tmp = ((((a ror5)^a)ror6)^a)ror28 = S0(a)
145 add tmp0, h_64 # a(next_state) = T1 + Maj(a,b,c) S0(a)
146 RotateState
147.endm
148
149.macro SHA512_2Sched_2Round_sse rnd
150
151 # Compute rounds t-2 and t-1
152 # Compute message schedule QWORDS t and t+1
153
154 # Two rounds are computed based on the values for K[t-2]+W[t-2] and
155 # K[t-1]+W[t-1] which were previously stored at WK_2 by the message
156 # scheduler.
157 # The two new schedule QWORDS are stored at [W_t(%%t)] and [W_t(%%t+1)].
158 # They are then added to their respective SHA512 constants at
159 # [K_t(%%t)] and [K_t(%%t+1)] and stored at dqword [WK_2(%%t)]
160 # For brievity, the comments following vectored instructions only refer to
161 # the first of a pair of QWORDS.
162 # Eg. XMM2=W[t-2] really means XMM2={W[t-2]|W[t-1]}
163 # The computation of the message schedule and the rounds are tightly
164 # stitched to take advantage of instruction-level parallelism.
165 # For clarity, integer instructions (for the rounds calculation) are indented
166 # by one tab. Vectored instructions (for the message scheduler) are indented
167 # by two tabs.
168
169 mov f_64, T1
170 idx = \rnd -2
171 movdqa W_t(idx), %xmm2 # XMM2 = W[t-2]
172 xor g_64, T1
173 and e_64, T1
174 movdqa %xmm2, %xmm0 # XMM0 = W[t-2]
175 xor g_64, T1
176 idx = \rnd
177 add WK_2(idx), T1
178 idx = \rnd - 15
179 movdqu W_t(idx), %xmm5 # XMM5 = W[t-15]
180 mov e_64, tmp0
181 ror $23, tmp0 # 41
182 movdqa %xmm5, %xmm3 # XMM3 = W[t-15]
183 xor e_64, tmp0
184 ror $4, tmp0 # 18
185 psrlq $61-19, %xmm0 # XMM0 = W[t-2] >> 42
186 xor e_64, tmp0
187 ror $14, tmp0 # 14
188 psrlq $(8-7), %xmm3 # XMM3 = W[t-15] >> 1
189 add tmp0, T1
190 add h_64, T1
191 pxor %xmm2, %xmm0 # XMM0 = (W[t-2] >> 42) ^ W[t-2]
192 mov a_64, T2
193 xor c_64, T2
194 pxor %xmm5, %xmm3 # XMM3 = (W[t-15] >> 1) ^ W[t-15]
195 and b_64, T2
196 mov a_64, tmp0
197 psrlq $(19-6), %xmm0 # XMM0 = ((W[t-2]>>42)^W[t-2])>>13
198 and c_64, tmp0
199 xor tmp0, T2
200 psrlq $(7-1), %xmm3 # XMM3 = ((W[t-15]>>1)^W[t-15])>>6
201 mov a_64, tmp0
202 ror $5, tmp0 # 39
203 pxor %xmm2, %xmm0 # XMM0 = (((W[t-2]>>42)^W[t-2])>>13)^W[t-2]
204 xor a_64, tmp0
205 ror $6, tmp0 # 34
206 pxor %xmm5, %xmm3 # XMM3 = (((W[t-15]>>1)^W[t-15])>>6)^W[t-15]
207 xor a_64, tmp0
208 ror $28, tmp0 # 28
209 psrlq $6, %xmm0 # XMM0 = ((((W[t-2]>>42)^W[t-2])>>13)^W[t-2])>>6
210 add tmp0, T2
211 add T1, d_64
212 psrlq $1, %xmm3 # XMM3 = (((W[t-15]>>1)^W[t-15])>>6)^W[t-15]>>1
213 lea (T1, T2), h_64
214 RotateState
215 movdqa %xmm2, %xmm1 # XMM1 = W[t-2]
216 mov f_64, T1
217 xor g_64, T1
218 movdqa %xmm5, %xmm4 # XMM4 = W[t-15]
219 and e_64, T1
220 xor g_64, T1
221 psllq $(64-19)-(64-61) , %xmm1 # XMM1 = W[t-2] << 42
222 idx = \rnd + 1
223 add WK_2(idx), T1
224 mov e_64, tmp0
225 psllq $(64-1)-(64-8), %xmm4 # XMM4 = W[t-15] << 7
226 ror $23, tmp0 # 41
227 xor e_64, tmp0
228 pxor %xmm2, %xmm1 # XMM1 = (W[t-2] << 42)^W[t-2]
229 ror $4, tmp0 # 18
230 xor e_64, tmp0
231 pxor %xmm5, %xmm4 # XMM4 = (W[t-15]<<7)^W[t-15]
232 ror $14, tmp0 # 14
233 add tmp0, T1
234 psllq $(64-61), %xmm1 # XMM1 = ((W[t-2] << 42)^W[t-2])<<3
235 add h_64, T1
236 mov a_64, T2
237 psllq $(64-8), %xmm4 # XMM4 = ((W[t-15]<<7)^W[t-15])<<56
238 xor c_64, T2
239 and b_64, T2
240 pxor %xmm1, %xmm0 # XMM0 = s1(W[t-2])
241 mov a_64, tmp0
242 and c_64, tmp0
243 idx = \rnd - 7
244 movdqu W_t(idx), %xmm1 # XMM1 = W[t-7]
245 xor tmp0, T2
246 pxor %xmm4, %xmm3 # XMM3 = s0(W[t-15])
247 mov a_64, tmp0
248 paddq %xmm3, %xmm0 # XMM0 = s1(W[t-2]) + s0(W[t-15])
249 ror $5, tmp0 # 39
250 idx =\rnd-16
251 paddq W_t(idx), %xmm0 # XMM0 = s1(W[t-2]) + s0(W[t-15]) + W[t-16]
252 xor a_64, tmp0
253 paddq %xmm1, %xmm0 # XMM0 = s1(W[t-2]) + W[t-7] + s0(W[t-15]) + W[t-16]
254 ror $6, tmp0 # 34
255 movdqa %xmm0, W_t(\rnd) # Store scheduled qwords
256 xor a_64, tmp0
257 paddq K_t(\rnd), %xmm0 # Compute W[t]+K[t]
258 ror $28, tmp0 # 28
259 idx = \rnd
260 movdqa %xmm0, WK_2(idx) # Store W[t]+K[t] for next rounds
261 add tmp0, T2
262 add T1, d_64
263 lea (T1, T2), h_64
264 RotateState
265.endm
266
267########################################################################
268# void sha512_transform_ssse3(struct sha512_block_state *state,
269# const u8 *data, size_t nblocks);
270# Purpose: Updates the SHA512 digest stored at "state" with the message
271# stored in "data".
272# The size of the message pointed to by "data" must be an integer multiple
273# of SHA512 message blocks.
274# "nblocks" is the message length in SHA512 blocks. Must be >= 1.
275########################################################################
276SYM_FUNC_START(sha512_transform_ssse3)
277
278 # Save GPRs
279 push %rbx
280 push %r12
281 push %r13
282 push %r14
283 push %r15
284
285 # Allocate Stack Space
286 push %rbp
287 mov %rsp, %rbp
288 sub $frame_size, %rsp
289 and $~(0x20 - 1), %rsp
290
291.Lupdateblock:
292
293# Load state variables
294 mov DIGEST(0), a_64
295 mov DIGEST(1), b_64
296 mov DIGEST(2), c_64
297 mov DIGEST(3), d_64
298 mov DIGEST(4), e_64
299 mov DIGEST(5), f_64
300 mov DIGEST(6), g_64
301 mov DIGEST(7), h_64
302
303 t = 0
304 .rept 80/2 + 1
305 # (80 rounds) / (2 rounds/iteration) + (1 iteration)
306 # +1 iteration because the scheduler leads hashing by 1 iteration
307 .if t < 2
308 # BSWAP 2 QWORDS
309 movdqa XMM_QWORD_BSWAP(%rip), %xmm1
310 movdqu MSG(t), %xmm0
311 pshufb %xmm1, %xmm0 # BSWAP
312 movdqa %xmm0, W_t(t) # Store Scheduled Pair
313 paddq K_t(t), %xmm0 # Compute W[t]+K[t]
314 movdqa %xmm0, WK_2(t) # Store into WK for rounds
315 .elseif t < 16
316 # BSWAP 2 QWORDS# Compute 2 Rounds
317 movdqu MSG(t), %xmm0
318 pshufb %xmm1, %xmm0 # BSWAP
319 SHA512_Round t-2 # Round t-2
320 movdqa %xmm0, W_t(t) # Store Scheduled Pair
321 paddq K_t(t), %xmm0 # Compute W[t]+K[t]
322 SHA512_Round t-1 # Round t-1
323 movdqa %xmm0, WK_2(t) # Store W[t]+K[t] into WK
324 .elseif t < 79
325 # Schedule 2 QWORDS# Compute 2 Rounds
326 SHA512_2Sched_2Round_sse t
327 .else
328 # Compute 2 Rounds
329 SHA512_Round t-2
330 SHA512_Round t-1
331 .endif
332 t = t+2
333 .endr
334
335 # Update digest
336 add a_64, DIGEST(0)
337 add b_64, DIGEST(1)
338 add c_64, DIGEST(2)
339 add d_64, DIGEST(3)
340 add e_64, DIGEST(4)
341 add f_64, DIGEST(5)
342 add g_64, DIGEST(6)
343 add h_64, DIGEST(7)
344
345 # Advance to next message block
346 add $16*8, msg
347 dec msglen
348 jnz .Lupdateblock
349
350 # Restore Stack Pointer
351 mov %rbp, %rsp
352 pop %rbp
353
354 # Restore GPRs
355 pop %r15
356 pop %r14
357 pop %r13
358 pop %r12
359 pop %rbx
360
361 RET
362SYM_FUNC_END(sha512_transform_ssse3)
363
364########################################################################
365### Binary Data
366
367.section .rodata.cst16.XMM_QWORD_BSWAP, "aM", @progbits, 16
368.align 16
369# Mask for byte-swapping a couple of qwords in an XMM register using (v)pshufb.
370XMM_QWORD_BSWAP:
371 .octa 0x08090a0b0c0d0e0f0001020304050607
372
373# Mergeable 640-byte rodata section. This allows linker to merge the table
374# with other, exactly the same 640-byte fragment of another rodata section
375# (if such section exists).
376.section .rodata.cst640.K512, "aM", @progbits, 640
377.align 64
378# K[t] used in SHA512 hashing
379K512:
380 .quad 0x428a2f98d728ae22,0x7137449123ef65cd
381 .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc
382 .quad 0x3956c25bf348b538,0x59f111f1b605d019
383 .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118
384 .quad 0xd807aa98a3030242,0x12835b0145706fbe
385 .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2
386 .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1
387 .quad 0x9bdc06a725c71235,0xc19bf174cf692694
388 .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3
389 .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65
390 .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483
391 .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5
392 .quad 0x983e5152ee66dfab,0xa831c66d2db43210
393 .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4
394 .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725
395 .quad 0x06ca6351e003826f,0x142929670a0e6e70
396 .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926
397 .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df
398 .quad 0x650a73548baf63de,0x766a0abb3c77b2a8
399 .quad 0x81c2c92e47edaee6,0x92722c851482353b
400 .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001
401 .quad 0xc24b8b70d0f89791,0xc76c51a30654be30
402 .quad 0xd192e819d6ef5218,0xd69906245565a910
403 .quad 0xf40e35855771202a,0x106aa07032bbd1b8
404 .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53
405 .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8
406 .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb
407 .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3
408 .quad 0x748f82ee5defb2fc,0x78a5636f43172f60
409 .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec
410 .quad 0x90befffa23631e28,0xa4506cebde82bde9
411 .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b
412 .quad 0xca273eceea26619c,0xd186b8c721c0c207
413 .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178
414 .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6
415 .quad 0x113f9804bef90dae,0x1b710b35131c471b
416 .quad 0x28db77f523047d84,0x32caab7b40c72493
417 .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c
418 .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a
419 .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817
420