fxr.watson.org: sys/contrib/openzfs/module/icp/asm-x86

FreeBSD/Linux Kernel Cross Reference
sys/contrib/openzfs/module/icp/asm-x86_64/aes/aesopt.h

Version: - FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10

1 /* 2 * --------------------------------------------------------------------------- 3 * Copyright (c) 1998-2007, Brian Gladman, Worcester, UK. All rights reserved. 4 * 5 * LICENSE TERMS 6 * 7 * The free distribution and use of this software is allowed (with or without 8 * changes) provided that: 9 * 10 * 1. source code distributions include the above copyright notice, this 11 * list of conditions and the following disclaimer; 12 * 13 * 2. binary distributions include the above copyright notice, this list 14 * of conditions and the following disclaimer in their documentation; 15 * 16 * 3. the name of the copyright holder is not used to endorse products 17 * built using this software without specific written permission. 18 * 19 * DISCLAIMER 20 * 21 * This software is provided 'as is' with no explicit or implied warranties 22 * in respect of its properties, including, but not limited to, correctness 23 * and/or fitness for purpose. 24 * --------------------------------------------------------------------------- 25 * Issue Date: 20/12/2007 26 * 27 * This file contains the compilation options for AES (Rijndael) and code 28 * that is common across encryption, key scheduling and table generation. 29 * 30 * OPERATION 31 * 32 * These source code files implement the AES algorithm Rijndael designed by 33 * Joan Daemen and Vincent Rijmen. This version is designed for the standard 34 * block size of 16 bytes and for key sizes of 128, 192 and 256 bits (16, 24 35 * and 32 bytes). 36 * 37 * This version is designed for flexibility and speed using operations on 38 * 32-bit words rather than operations on bytes. It can be compiled with 39 * either big or little endian internal byte order but is faster when the 40 * native byte order for the processor is used. 41 * 42 * THE CIPHER INTERFACE 43 * 44 * The cipher interface is implemented as an array of bytes in which lower 45 * AES bit sequence indexes map to higher numeric significance within bytes. 46 */ 47 48 /* 49 * OpenSolaris changes 50 * 1. Added __cplusplus and _AESTAB_H header guards 51 * 2. Added header files sys/types.h and aes_impl.h 52 * 3. Added defines for AES_ENCRYPT, AES_DECRYPT, AES_REV_DKS, and ASM_AMD64_C 53 * 4. Moved defines for IS_BIG_ENDIAN, IS_LITTLE_ENDIAN, PLATFORM_BYTE_ORDER 54 * from brg_endian.h 55 * 5. Undefined VIA_ACE_POSSIBLE and ASSUME_VIA_ACE_PRESENT 56 * 6. Changed uint_8t and uint_32t to uint8_t and uint32_t 57 * 7. Defined aes_sw32 as htonl() for byte swapping 58 * 8. Cstyled and hdrchk code 59 * 60 */ 61 62 #ifndef _AESOPT_H 63 #define _AESOPT_H 64 65 #ifdef __cplusplus 66 extern "C" { 67 #endif 68 69 #include <sys/zfs_context.h> 70 #include <aes/aes_impl.h> 71 72 /* SUPPORT FEATURES */ 73 #define AES_ENCRYPT /* if support for encryption is needed */ 74 #define AES_DECRYPT /* if support for decryption is needed */ 75 76 /* PLATFORM-SPECIFIC FEATURES */ 77 #define IS_BIG_ENDIAN 4321 /* byte 0 is most significant (mc68k) */ 78 #define IS_LITTLE_ENDIAN 1234 /* byte 0 is least significant (i386) */ 79 #define PLATFORM_BYTE_ORDER IS_LITTLE_ENDIAN 80 #define AES_REV_DKS /* define to reverse decryption key schedule */ 81 82 83 /* 84 * CONFIGURATION - THE USE OF DEFINES 85 * Later in this section there are a number of defines that control the 86 * operation of the code. In each section, the purpose of each define is 87 * explained so that the relevant form can be included or excluded by 88 * setting either 1's or 0's respectively on the branches of the related 89 * #if clauses. The following local defines should not be changed. 90 */ 91 92 #define ENCRYPTION_IN_C 1 93 #define DECRYPTION_IN_C 2 94 #define ENC_KEYING_IN_C 4 95 #define DEC_KEYING_IN_C 8 96 97 #define NO_TABLES 0 98 #define ONE_TABLE 1 99 #define FOUR_TABLES 4 100 #define NONE 0 101 #define PARTIAL 1 102 #define FULL 2 103 104 /* --- START OF USER CONFIGURED OPTIONS --- */ 105 106 /* 107 * 1. BYTE ORDER WITHIN 32 BIT WORDS 108 * 109 * The fundamental data processing units in Rijndael are 8-bit bytes. The 110 * input, output and key input are all enumerated arrays of bytes in which 111 * bytes are numbered starting at zero and increasing to one less than the 112 * number of bytes in the array in question. This enumeration is only used 113 * for naming bytes and does not imply any adjacency or order relationship 114 * from one byte to another. When these inputs and outputs are considered 115 * as bit sequences, bits 8*n to 8*n+7 of the bit sequence are mapped to 116 * byte[n] with bit 8n+i in the sequence mapped to bit 7-i within the byte. 117 * In this implementation bits are numbered from 0 to 7 starting at the 118 * numerically least significant end of each byte. Bit n represents 2^n. 119 * 120 * However, Rijndael can be implemented more efficiently using 32-bit 121 * words by packing bytes into words so that bytes 4*n to 4*n+3 are placed 122 * into word[n]. While in principle these bytes can be assembled into words 123 * in any positions, this implementation only supports the two formats in 124 * which bytes in adjacent positions within words also have adjacent byte 125 * numbers. This order is called big-endian if the lowest numbered bytes 126 * in words have the highest numeric significance and little-endian if the 127 * opposite applies. 128 * 129 * This code can work in either order irrespective of the order used by the 130 * machine on which it runs. Normally the internal byte order will be set 131 * to the order of the processor on which the code is to be run but this 132 * define can be used to reverse this in special situations 133 * 134 * WARNING: Assembler code versions rely on PLATFORM_BYTE_ORDER being set. 135 * This define will hence be redefined later (in section 4) if necessary 136 */ 137 138 #if 1 139 #define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER 140 #elif 0 141 #define ALGORITHM_BYTE_ORDER IS_LITTLE_ENDIAN 142 #elif 0 143 #define ALGORITHM_BYTE_ORDER IS_BIG_ENDIAN 144 #else 145 #error The algorithm byte order is not defined 146 #endif 147 148 /* 2. VIA ACE SUPPORT */ 149 150 #if defined(__GNUC__) && defined(__i386__) || \ 151 defined(_WIN32) && defined(_M_IX86) && \ 152 !(defined(_WIN64) || defined(_WIN32_WCE) || \ 153 defined(_MSC_VER) && (_MSC_VER <= 800)) 154 #define VIA_ACE_POSSIBLE 155 #endif 156 157 /* 158 * Define this option if support for the VIA ACE is required. This uses 159 * inline assembler instructions and is only implemented for the Microsoft, 160 * Intel and GCC compilers. If VIA ACE is known to be present, then defining 161 * ASSUME_VIA_ACE_PRESENT will remove the ordinary encryption/decryption 162 * code. If USE_VIA_ACE_IF_PRESENT is defined then VIA ACE will be used if 163 * it is detected (both present and enabled) but the normal AES code will 164 * also be present. 165 * 166 * When VIA ACE is to be used, all AES encryption contexts MUST be 16 byte 167 * aligned; other input/output buffers do not need to be 16 byte aligned 168 * but there are very large performance gains if this can be arranged. 169 * VIA ACE also requires the decryption key schedule to be in reverse 170 * order (which later checks below ensure). 171 */ 172 173 /* VIA ACE is not used here for OpenSolaris: */ 174 #undef VIA_ACE_POSSIBLE 175 #undef ASSUME_VIA_ACE_PRESENT 176 177 #if 0 && defined(VIA_ACE_POSSIBLE) && !defined(USE_VIA_ACE_IF_PRESENT) 178 #define USE_VIA_ACE_IF_PRESENT 179 #endif 180 181 #if 0 && defined(VIA_ACE_POSSIBLE) && !defined(ASSUME_VIA_ACE_PRESENT) 182 #define ASSUME_VIA_ACE_PRESENT 183 #endif 184 185 186 /* 187 * 3. ASSEMBLER SUPPORT 188 * 189 * This define (which can be on the command line) enables the use of the 190 * assembler code routines for encryption, decryption and key scheduling 191 * as follows: 192 * 193 * ASM_X86_V1C uses the assembler (aes_x86_v1.asm) with large tables for 194 * encryption and decryption and but with key scheduling in C 195 * ASM_X86_V2 uses assembler (aes_x86_v2.asm) with compressed tables for 196 * encryption, decryption and key scheduling 197 * ASM_X86_V2C uses assembler (aes_x86_v2.asm) with compressed tables for 198 * encryption and decryption and but with key scheduling in C 199 * ASM_AMD64_C uses assembler (aes_amd64.asm) with compressed tables for 200 * encryption and decryption and but with key scheduling in C 201 * 202 * Change one 'if 0' below to 'if 1' to select the version or define 203 * as a compilation option. 204 */ 205 206 #if 0 && !defined(ASM_X86_V1C) 207 #define ASM_X86_V1C 208 #elif 0 && !defined(ASM_X86_V2) 209 #define ASM_X86_V2 210 #elif 0 && !defined(ASM_X86_V2C) 211 #define ASM_X86_V2C 212 #elif 1 && !defined(ASM_AMD64_C) 213 #define ASM_AMD64_C 214 #endif 215 216 #if (defined(ASM_X86_V1C) || defined(ASM_X86_V2) || defined(ASM_X86_V2C)) && \ 217 !defined(_M_IX86) || defined(ASM_AMD64_C) && !defined(_M_X64) && \ 218 !defined(__amd64) 219 #error Assembler code is only available for x86 and AMD64 systems 220 #endif 221 222 /* 223 * 4. FAST INPUT/OUTPUT OPERATIONS. 224 * 225 * On some machines it is possible to improve speed by transferring the 226 * bytes in the input and output arrays to and from the internal 32-bit 227 * variables by addressing these arrays as if they are arrays of 32-bit 228 * words. On some machines this will always be possible but there may 229 * be a large performance penalty if the byte arrays are not aligned on 230 * the normal word boundaries. On other machines this technique will 231 * lead to memory access errors when such 32-bit word accesses are not 232 * properly aligned. The option SAFE_IO avoids such problems but will 233 * often be slower on those machines that support misaligned access 234 * (especially so if care is taken to align the input and output byte 235 * arrays on 32-bit word boundaries). If SAFE_IO is not defined it is 236 * assumed that access to byte arrays as if they are arrays of 32-bit 237 * words will not cause problems when such accesses are misaligned. 238 */ 239 #if 1 && !defined(_MSC_VER) 240 #define SAFE_IO 241 #endif 242 243 /* 244 * 5. LOOP UNROLLING 245 * 246 * The code for encryption and decryption cycles through a number of rounds 247 * that can be implemented either in a loop or by expanding the code into a 248 * long sequence of instructions, the latter producing a larger program but 249 * one that will often be much faster. The latter is called loop unrolling. 250 * There are also potential speed advantages in expanding two iterations in 251 * a loop with half the number of iterations, which is called partial loop 252 * unrolling. The following options allow partial or full loop unrolling 253 * to be set independently for encryption and decryption 254 */ 255 #if 1 256 #define ENC_UNROLL FULL 257 #elif 0 258 #define ENC_UNROLL PARTIAL 259 #else 260 #define ENC_UNROLL NONE 261 #endif 262 263 #if 1 264 #define DEC_UNROLL FULL 265 #elif 0 266 #define DEC_UNROLL PARTIAL 267 #else 268 #define DEC_UNROLL NONE 269 #endif 270 271 #if 1 272 #define ENC_KS_UNROLL 273 #endif 274 275 #if 1 276 #define DEC_KS_UNROLL 277 #endif 278 279 /* 280 * 6. FAST FINITE FIELD OPERATIONS 281 * 282 * If this section is included, tables are used to provide faster finite 283 * field arithmetic. This has no effect if FIXED_TABLES is defined. 284 */ 285 #if 1 286 #define FF_TABLES 287 #endif 288 289 /* 290 * 7. INTERNAL STATE VARIABLE FORMAT 291 * 292 * The internal state of Rijndael is stored in a number of local 32-bit 293 * word variables which can be defined either as an array or as individual 294 * names variables. Include this section if you want to store these local 295 * variables in arrays. Otherwise individual local variables will be used. 296 */ 297 #if 1 298 #define ARRAYS 299 #endif 300 301 /* 302 * 8. FIXED OR DYNAMIC TABLES 303 * 304 * When this section is included the tables used by the code are compiled 305 * statically into the binary file. Otherwise the subroutine aes_init() 306 * must be called to compute them before the code is first used. 307 */ 308 #if 1 && !(defined(_MSC_VER) && (_MSC_VER <= 800)) 309 #define FIXED_TABLES 310 #endif 311 312 /* 313 * 9. MASKING OR CASTING FROM LONGER VALUES TO BYTES 314 * 315 * In some systems it is better to mask longer values to extract bytes 316 * rather than using a cast. This option allows this choice. 317 */ 318 #if 0 319 #define to_byte(x) ((uint8_t)(x)) 320 #else 321 #define to_byte(x) ((x) & 0xff) 322 #endif 323 324 /* 325 * 10. TABLE ALIGNMENT 326 * 327 * On some systems speed will be improved by aligning the AES large lookup 328 * tables on particular boundaries. This define should be set to a power of 329 * two giving the desired alignment. It can be left undefined if alignment 330 * is not needed. This option is specific to the Microsoft VC++ compiler - 331 * it seems to sometimes cause trouble for the VC++ version 6 compiler. 332 */ 333 334 #if 1 && defined(_MSC_VER) && (_MSC_VER >= 1300) 335 #define TABLE_ALIGN 32 336 #endif 337 338 /* 339 * 11. REDUCE CODE AND TABLE SIZE 340 * 341 * This replaces some expanded macros with function calls if AES_ASM_V2 or 342 * AES_ASM_V2C are defined 343 */ 344 345 #if 1 && (defined(ASM_X86_V2) || defined(ASM_X86_V2C)) 346 #define REDUCE_CODE_SIZE 347 #endif 348 349 /* 350 * 12. TABLE OPTIONS 351 * 352 * This cipher proceeds by repeating in a number of cycles known as rounds 353 * which are implemented by a round function which is optionally be speeded 354 * up using tables. The basic tables are 256 32-bit words, with either 355 * one or four tables being required for each round function depending on 356 * how much speed is required. Encryption and decryption round functions 357 * are different and the last encryption and decryption round functions are 358 * different again making four different round functions in all. 359 * 360 * This means that: 361 * 1. Normal encryption and decryption rounds can each use either 0, 1 362 * or 4 tables and table spaces of 0, 1024 or 4096 bytes each. 363 * 2. The last encryption and decryption rounds can also use either 0, 1 364 * or 4 tables and table spaces of 0, 1024 or 4096 bytes each. 365 * 366 * Include or exclude the appropriate definitions below to set the number 367 * of tables used by this implementation. 368 */ 369 370 #if 1 /* set tables for the normal encryption round */ 371 #define ENC_ROUND FOUR_TABLES 372 #elif 0 373 #define ENC_ROUND ONE_TABLE 374 #else 375 #define ENC_ROUND NO_TABLES 376 #endif 377 378 #if 1 /* set tables for the last encryption round */ 379 #define LAST_ENC_ROUND FOUR_TABLES 380 #elif 0 381 #define LAST_ENC_ROUND ONE_TABLE 382 #else 383 #define LAST_ENC_ROUND NO_TABLES 384 #endif 385 386 #if 1 /* set tables for the normal decryption round */ 387 #define DEC_ROUND FOUR_TABLES 388 #elif 0 389 #define DEC_ROUND ONE_TABLE 390 #else 391 #define DEC_ROUND NO_TABLES 392 #endif 393 394 #if 1 /* set tables for the last decryption round */ 395 #define LAST_DEC_ROUND FOUR_TABLES 396 #elif 0 397 #define LAST_DEC_ROUND ONE_TABLE 398 #else 399 #define LAST_DEC_ROUND NO_TABLES 400 #endif 401 402 /* 403 * The decryption key schedule can be speeded up with tables in the same 404 * way that the round functions can. Include or exclude the following 405 * defines to set this requirement. 406 */ 407 #if 1 408 #define KEY_SCHED FOUR_TABLES 409 #elif 0 410 #define KEY_SCHED ONE_TABLE 411 #else 412 #define KEY_SCHED NO_TABLES 413 #endif 414 415 /* ---- END OF USER CONFIGURED OPTIONS ---- */ 416 417 /* VIA ACE support is only available for VC++ and GCC */ 418 419 #if !defined(_MSC_VER) && !defined(__GNUC__) 420 #if defined(ASSUME_VIA_ACE_PRESENT) 421 #undef ASSUME_VIA_ACE_PRESENT 422 #endif 423 #if defined(USE_VIA_ACE_IF_PRESENT) 424 #undef USE_VIA_ACE_IF_PRESENT 425 #endif 426 #endif 427 428 #if defined(ASSUME_VIA_ACE_PRESENT) && !defined(USE_VIA_ACE_IF_PRESENT) 429 #define USE_VIA_ACE_IF_PRESENT 430 #endif 431 432 #if defined(USE_VIA_ACE_IF_PRESENT) && !defined(AES_REV_DKS) 433 #define AES_REV_DKS 434 #endif 435 436 /* Assembler support requires the use of platform byte order */ 437 438 #if (defined(ASM_X86_V1C) || defined(ASM_X86_V2C) || defined(ASM_AMD64_C)) && \ 439 (ALGORITHM_BYTE_ORDER != PLATFORM_BYTE_ORDER) 440 #undef ALGORITHM_BYTE_ORDER 441 #define ALGORITHM_BYTE_ORDER PLATFORM_BYTE_ORDER 442 #endif 443 444 /* 445 * In this implementation the columns of the state array are each held in 446 * 32-bit words. The state array can be held in various ways: in an array 447 * of words, in a number of individual word variables or in a number of 448 * processor registers. The following define maps a variable name x and 449 * a column number c to the way the state array variable is to be held. 450 * The first define below maps the state into an array x[c] whereas the 451 * second form maps the state into a number of individual variables x0, 452 * x1, etc. Another form could map individual state columns to machine 453 * register names. 454 */ 455 456 #if defined(ARRAYS) 457 #define s(x, c) x[c] 458 #else 459 #define s(x, c) x##c 460 #endif 461 462 /* 463 * This implementation provides subroutines for encryption, decryption 464 * and for setting the three key lengths (separately) for encryption 465 * and decryption. Since not all functions are needed, masks are set 466 * up here to determine which will be implemented in C 467 */ 468 469 #if !defined(AES_ENCRYPT) 470 #define EFUNCS_IN_C 0 471 #elif defined(ASSUME_VIA_ACE_PRESENT) || defined(ASM_X86_V1C) || \ 472 defined(ASM_X86_V2C) || defined(ASM_AMD64_C) 473 #define EFUNCS_IN_C ENC_KEYING_IN_C 474 #elif !defined(ASM_X86_V2) 475 #define EFUNCS_IN_C (ENCRYPTION_IN_C | ENC_KEYING_IN_C) 476 #else 477 #define EFUNCS_IN_C 0 478 #endif 479 480 #if !defined(AES_DECRYPT) 481 #define DFUNCS_IN_C 0 482 #elif defined(ASSUME_VIA_ACE_PRESENT) || defined(ASM_X86_V1C) || \ 483 defined(ASM_X86_V2C) || defined(ASM_AMD64_C) 484 #define DFUNCS_IN_C DEC_KEYING_IN_C 485 #elif !defined(ASM_X86_V2) 486 #define DFUNCS_IN_C (DECRYPTION_IN_C | DEC_KEYING_IN_C) 487 #else 488 #define DFUNCS_IN_C 0 489 #endif 490 491 #define FUNCS_IN_C (EFUNCS_IN_C | DFUNCS_IN_C) 492 493 /* END OF CONFIGURATION OPTIONS */ 494 495 /* Disable or report errors on some combinations of options */ 496 497 #if ENC_ROUND == NO_TABLES && LAST_ENC_ROUND != NO_TABLES 498 #undef LAST_ENC_ROUND 499 #define LAST_ENC_ROUND NO_TABLES 500 #elif ENC_ROUND == ONE_TABLE && LAST_ENC_ROUND == FOUR_TABLES 501 #undef LAST_ENC_ROUND 502 #define LAST_ENC_ROUND ONE_TABLE 503 #endif 504 505 #if ENC_ROUND == NO_TABLES && ENC_UNROLL != NONE 506 #undef ENC_UNROLL 507 #define ENC_UNROLL NONE 508 #endif 509 510 #if DEC_ROUND == NO_TABLES && LAST_DEC_ROUND != NO_TABLES 511 #undef LAST_DEC_ROUND 512 #define LAST_DEC_ROUND NO_TABLES 513 #elif DEC_ROUND == ONE_TABLE && LAST_DEC_ROUND == FOUR_TABLES 514 #undef LAST_DEC_ROUND 515 #define LAST_DEC_ROUND ONE_TABLE 516 #endif 517 518 #if DEC_ROUND == NO_TABLES && DEC_UNROLL != NONE 519 #undef DEC_UNROLL 520 #define DEC_UNROLL NONE 521 #endif 522 523 #if (ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN) 524 #define aes_sw32 htonl 525 #elif defined(bswap32) 526 #define aes_sw32 bswap32 527 #elif defined(bswap_32) 528 #define aes_sw32 bswap_32 529 #else 530 #define brot(x, n) (((uint32_t)(x) << (n)) | ((uint32_t)(x) >> (32 - (n)))) 531 #define aes_sw32(x) ((brot((x), 8) & 0x00ff00ff) | (brot((x), 24) & 0xff00ff00)) 532 #endif 533 534 535 /* 536 * upr(x, n): rotates bytes within words by n positions, moving bytes to 537 * higher index positions with wrap around into low positions 538 * ups(x, n): moves bytes by n positions to higher index positions in 539 * words but without wrap around 540 * bval(x, n): extracts a byte from a word 541 * 542 * WARNING: The definitions given here are intended only for use with 543 * unsigned variables and with shift counts that are compile 544 * time constants 545 */ 546 547 #if (ALGORITHM_BYTE_ORDER == IS_LITTLE_ENDIAN) 548 #define upr(x, n) (((uint32_t)(x) << (8 * (n))) | \ 549 ((uint32_t)(x) >> (32 - 8 * (n)))) 550 #define ups(x, n) ((uint32_t)(x) << (8 * (n))) 551 #define bval(x, n) to_byte((x) >> (8 * (n))) 552 #define bytes2word(b0, b1, b2, b3) \ 553 (((uint32_t)(b3) << 24) | ((uint32_t)(b2) << 16) | \ 554 ((uint32_t)(b1) << 8) | (b0)) 555 #endif 556 557 #if (ALGORITHM_BYTE_ORDER == IS_BIG_ENDIAN) 558 #define upr(x, n) (((uint32_t)(x) >> (8 * (n))) | \ 559 ((uint32_t)(x) << (32 - 8 * (n)))) 560 #define ups(x, n) ((uint32_t)(x) >> (8 * (n))) 561 #define bval(x, n) to_byte((x) >> (24 - 8 * (n))) 562 #define bytes2word(b0, b1, b2, b3) \ 563 (((uint32_t)(b0) << 24) | ((uint32_t)(b1) << 16) | \ 564 ((uint32_t)(b2) << 8) | (b3)) 565 #endif 566 567 #if defined(SAFE_IO) 568 #define word_in(x, c) bytes2word(((const uint8_t *)(x) + 4 * c)[0], \ 569 ((const uint8_t *)(x) + 4 * c)[1], \ 570 ((const uint8_t *)(x) + 4 * c)[2], \ 571 ((const uint8_t *)(x) + 4 * c)[3]) 572 #define word_out(x, c, v) { ((uint8_t *)(x) + 4 * c)[0] = bval(v, 0); \ 573 ((uint8_t *)(x) + 4 * c)[1] = bval(v, 1); \ 574 ((uint8_t *)(x) + 4 * c)[2] = bval(v, 2); \ 575 ((uint8_t *)(x) + 4 * c)[3] = bval(v, 3); } 576 #elif (ALGORITHM_BYTE_ORDER == PLATFORM_BYTE_ORDER) 577 #define word_in(x, c) (*((uint32_t *)(x) + (c))) 578 #define word_out(x, c, v) (*((uint32_t *)(x) + (c)) = (v)) 579 #else 580 #define word_in(x, c) aes_sw32(*((uint32_t *)(x) + (c))) 581 #define word_out(x, c, v) (*((uint32_t *)(x) + (c)) = aes_sw32(v)) 582 #endif 583 584 /* the finite field modular polynomial and elements */ 585 586 #define WPOLY 0x011b 587 #define BPOLY 0x1b 588 589 /* multiply four bytes in GF(2^8) by 'x' {02} in parallel */ 590 591 #define m1 0x80808080 592 #define m2 0x7f7f7f7f 593 #define gf_mulx(x) ((((x) & m2) << 1) ^ ((((x) & m1) >> 7) * BPOLY)) 594 595 /* 596 * The following defines provide alternative definitions of gf_mulx that might 597 * give improved performance if a fast 32-bit multiply is not available. Note 598 * that a temporary variable u needs to be defined where gf_mulx is used. 599 * 600 * #define gf_mulx(x) (u = (x) & m1, u |= (u >> 1), ((x) & m2) << 1) ^ \ 601 * ((u >> 3) | (u >> 6)) 602 * #define m4 (0x01010101 * BPOLY) 603 * #define gf_mulx(x) (u = (x) & m1, ((x) & m2) << 1) ^ ((u - (u >> 7)) \ 604 * & m4) 605 */ 606 607 /* Work out which tables are needed for the different options */ 608 609 #if defined(ASM_X86_V1C) 610 #if defined(ENC_ROUND) 611 #undef ENC_ROUND 612 #endif 613 #define ENC_ROUND FOUR_TABLES 614 #if defined(LAST_ENC_ROUND) 615 #undef LAST_ENC_ROUND 616 #endif 617 #define LAST_ENC_ROUND FOUR_TABLES 618 #if defined(DEC_ROUND) 619 #undef DEC_ROUND 620 #endif 621 #define DEC_ROUND FOUR_TABLES 622 #if defined(LAST_DEC_ROUND) 623 #undef LAST_DEC_ROUND 624 #endif 625 #define LAST_DEC_ROUND FOUR_TABLES 626 #if defined(KEY_SCHED) 627 #undef KEY_SCHED 628 #define KEY_SCHED FOUR_TABLES 629 #endif 630 #endif 631 632 #if (FUNCS_IN_C & ENCRYPTION_IN_C) || defined(ASM_X86_V1C) 633 #if ENC_ROUND == ONE_TABLE 634 #define FT1_SET 635 #elif ENC_ROUND == FOUR_TABLES 636 #define FT4_SET 637 #else 638 #define SBX_SET 639 #endif 640 #if LAST_ENC_ROUND == ONE_TABLE 641 #define FL1_SET 642 #elif LAST_ENC_ROUND == FOUR_TABLES 643 #define FL4_SET 644 #elif !defined(SBX_SET) 645 #define SBX_SET 646 #endif 647 #endif 648 649 #if (FUNCS_IN_C & DECRYPTION_IN_C) || defined(ASM_X86_V1C) 650 #if DEC_ROUND == ONE_TABLE 651 #define IT1_SET 652 #elif DEC_ROUND == FOUR_TABLES 653 #define IT4_SET 654 #else 655 #define ISB_SET 656 #endif 657 #if LAST_DEC_ROUND == ONE_TABLE 658 #define IL1_SET 659 #elif LAST_DEC_ROUND == FOUR_TABLES 660 #define IL4_SET 661 #elif !defined(ISB_SET) 662 #define ISB_SET 663 #endif 664 #endif 665 666 667 #if !(defined(REDUCE_CODE_SIZE) && (defined(ASM_X86_V2) || \ 668 defined(ASM_X86_V2C))) 669 #if ((FUNCS_IN_C & ENC_KEYING_IN_C) || (FUNCS_IN_C & DEC_KEYING_IN_C)) 670 #if KEY_SCHED == ONE_TABLE 671 #if !defined(FL1_SET) && !defined(FL4_SET) 672 #define LS1_SET 673 #endif 674 #elif KEY_SCHED == FOUR_TABLES 675 #if !defined(FL4_SET) 676 #define LS4_SET 677 #endif 678 #elif !defined(SBX_SET) 679 #define SBX_SET 680 #endif 681 #endif 682 #if (FUNCS_IN_C & DEC_KEYING_IN_C) 683 #if KEY_SCHED == ONE_TABLE 684 #define IM1_SET 685 #elif KEY_SCHED == FOUR_TABLES 686 #define IM4_SET 687 #elif !defined(SBX_SET) 688 #define SBX_SET 689 #endif 690 #endif 691 #endif 692 693 /* generic definitions of Rijndael macros that use tables */ 694 695 #define no_table(x, box, vf, rf, c) bytes2word(\ 696 box[bval(vf(x, 0, c), rf(0, c))], \ 697 box[bval(vf(x, 1, c), rf(1, c))], \ 698 box[bval(vf(x, 2, c), rf(2, c))], \ 699 box[bval(vf(x, 3, c), rf(3, c))]) 700 701 #define one_table(x, op, tab, vf, rf, c) \ 702 (tab[bval(vf(x, 0, c), rf(0, c))] \ 703 ^ op(tab[bval(vf(x, 1, c), rf(1, c))], 1) \ 704 ^ op(tab[bval(vf(x, 2, c), rf(2, c))], 2) \ 705 ^ op(tab[bval(vf(x, 3, c), rf(3, c))], 3)) 706 707 #define four_tables(x, tab, vf, rf, c) \ 708 (tab[0][bval(vf(x, 0, c), rf(0, c))] \ 709 ^ tab[1][bval(vf(x, 1, c), rf(1, c))] \ 710 ^ tab[2][bval(vf(x, 2, c), rf(2, c))] \ 711 ^ tab[3][bval(vf(x, 3, c), rf(3, c))]) 712 713 #define vf1(x, r, c) (x) 714 #define rf1(r, c) (r) 715 #define rf2(r, c) ((8+r-c)&3) 716 717 /* 718 * Perform forward and inverse column mix operation on four bytes in long word 719 * x in parallel. NOTE: x must be a simple variable, NOT an expression in 720 * these macros. 721 */ 722 723 #if !(defined(REDUCE_CODE_SIZE) && (defined(ASM_X86_V2) || \ 724 defined(ASM_X86_V2C))) 725 726 #if defined(FM4_SET) /* not currently used */ 727 #define fwd_mcol(x) four_tables(x, t_use(f, m), vf1, rf1, 0) 728 #elif defined(FM1_SET) /* not currently used */ 729 #define fwd_mcol(x) one_table(x, upr, t_use(f, m), vf1, rf1, 0) 730 #else 731 #define dec_fmvars uint32_t g2 732 #define fwd_mcol(x) (g2 = gf_mulx(x), g2 ^ upr((x) ^ g2, 3) ^ \ 733 upr((x), 2) ^ upr((x), 1)) 734 #endif 735 736 #if defined(IM4_SET) 737 #define inv_mcol(x) four_tables(x, t_use(i, m), vf1, rf1, 0) 738 #elif defined(IM1_SET) 739 #define inv_mcol(x) one_table(x, upr, t_use(i, m), vf1, rf1, 0) 740 #else 741 #define dec_imvars uint32_t g2, g4, g9 742 #define inv_mcol(x) (g2 = gf_mulx(x), g4 = gf_mulx(g2), g9 = \ 743 (x) ^ gf_mulx(g4), g4 ^= g9, \ 744 (x) ^ g2 ^ g4 ^ upr(g2 ^ g9, 3) ^ \ 745 upr(g4, 2) ^ upr(g9, 1)) 746 #endif 747 748 #if defined(FL4_SET) 749 #define ls_box(x, c) four_tables(x, t_use(f, l), vf1, rf2, c) 750 #elif defined(LS4_SET) 751 #define ls_box(x, c) four_tables(x, t_use(l, s), vf1, rf2, c) 752 #elif defined(FL1_SET) 753 #define ls_box(x, c) one_table(x, upr, t_use(f, l), vf1, rf2, c) 754 #elif defined(LS1_SET) 755 #define ls_box(x, c) one_table(x, upr, t_use(l, s), vf1, rf2, c) 756 #else 757 #define ls_box(x, c) no_table(x, t_use(s, box), vf1, rf2, c) 758 #endif 759 760 #endif 761 762 #if defined(ASM_X86_V1C) && defined(AES_DECRYPT) && !defined(ISB_SET) 763 #define ISB_SET 764 #endif 765 766 #ifdef __cplusplus 767 } 768 #endif 769 770 #endif /* _AESOPT_H */

Cache object: 438c2ae5d3195ca7215b29f09e98fa0d

FreeBSD/Linux Kernel Cross Reference sys/contrib/openzfs/module/icp/asm-x86_64/aes/aesopt.h

FreeBSD/Linux Kernel Cross Reference
sys/contrib/openzfs/module/icp/asm-x86_64/aes/aesopt.h