diff options
| author | Richard Henderson <richard.henderson@linaro.org> | 2023-07-09 15:01:43 +0100 |
|---|---|---|
| committer | Richard Henderson <richard.henderson@linaro.org> | 2023-07-09 15:01:43 +0100 |
| commit | 2ff49e96accc8fd9a38e9abd16f0cfa0adab1605 (patch) | |
| tree | 2de7e51955f62162978b94d62b8b1667f65dc507 /target/riscv/crypto_helper.c | |
| parent | fc61742e445c4ebfe3932063f683d99c6d737cee (diff) | |
| parent | ff494c8e2a4c857dd37fb908d8ac8158f5e4f89b (diff) | |
| download | focaccia-qemu-2ff49e96accc8fd9a38e9abd16f0cfa0adab1605.tar.gz focaccia-qemu-2ff49e96accc8fd9a38e9abd16f0cfa0adab1605.zip | |
Merge tag 'pull-tcg-20230709' of https://gitlab.com/rth7680/qemu into staging
crypto: Provide aes-round.h and host accel # -----BEGIN PGP SIGNATURE----- # # iQFRBAABCgA7FiEEekgeeIaLTbaoWgXAZN846K9+IV8FAmSqvGodHHJpY2hhcmQu # aGVuZGVyc29uQGxpbmFyby5vcmcACgkQZN846K9+IV+1bgf9EG57jfnCQLCfMQ6C # 0bQ0MaeAkGg+7+mUwyi3OPB1VO0yjEKv5pWEnolzrGud35P0KsyoO+msqGqxnbMv # IbhPkQZbmfMsGFPG1DbswjiwmQU5cV+ciONDM+C+qepnuUN+JrzIDHoEFzQRFoQo # eQL/LnuyUkYBvR7YCKNJxFHtwILKcYQPH4jiC6a92C11AzYjDfilSxnuQ2RwL3Tn # Zwf8TKJP5QGExvUdtm8f6xJ1LT7WAvsk9ZTwudE/+XRTnw8RWk6RmZSEQPx+cBdI # p3opaoxkkMrdmcaXbr+9eSfBGq2gsVkKYPiyTDuwVW26575Nob9ZmodT3oSBNlkC # +njd4w== # =Nf5i # -----END PGP SIGNATURE----- # gpg: Signature made Sun 09 Jul 2023 02:55:54 PM BST # gpg: using RSA key 7A481E78868B4DB6A85A05C064DF38E8AF7E215F # gpg: issuer "richard.henderson@linaro.org" # gpg: Good signature from "Richard Henderson <richard.henderson@linaro.org>" [ultimate] * tag 'pull-tcg-20230709' of https://gitlab.com/rth7680/qemu: (37 commits) crypto: Unexport AES_*_rot, AES_TeN, AES_TdN crypto: Remove AES_imc crypto: Implement aesdec_IMC with AES_imc_rot crypto: Remove AES_shifts, AES_ishifts target/riscv: Use aesdec_ISB_ISR_IMC_AK target/riscv: Use aesenc_SB_SR_MC_AK target/riscv: Use aesdec_IMC target/riscv: Use aesdec_ISB_ISR_AK target/riscv: Use aesenc_SB_SR_AK target/arm: Use aesdec_IMC target/arm: Use aesenc_MC target/arm: Use aesdec_ISB_ISR_AK target/arm: Use aesenc_SB_SR_AK target/arm: Demultiplex AESE and AESMC target/i386: Use aesdec_ISB_ISR_IMC_AK target/i386: Use aesenc_SB_SR_MC_AK target/i386: Use aesdec_IMC target/i386: Use aesdec_ISB_ISR_AK target/i386: Use aesenc_SB_SR_AK target/ppc: Use aesdec_ISB_ISR_AK_IMC ... Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Diffstat (limited to 'target/riscv/crypto_helper.c')
| -rw-r--r-- | target/riscv/crypto_helper.c | 138 |
1 files changed, 35 insertions, 103 deletions
diff --git a/target/riscv/crypto_helper.c b/target/riscv/crypto_helper.c index 2ef30281b1..99d85a6188 100644 --- a/target/riscv/crypto_helper.c +++ b/target/riscv/crypto_helper.c @@ -22,6 +22,7 @@ #include "exec/exec-all.h" #include "exec/helper-proto.h" #include "crypto/aes.h" +#include "crypto/aes-round.h" #include "crypto/sm4.h" #define AES_XTIME(a) \ @@ -103,114 +104,50 @@ target_ulong HELPER(aes32dsi)(target_ulong rs1, target_ulong rs2, return aes32_operation(shamt, rs1, rs2, false, false); } -#define BY(X, I) ((X >> (8 * I)) & 0xFF) - -#define AES_SHIFROWS_LO(RS1, RS2) ( \ - (((RS1 >> 24) & 0xFF) << 56) | (((RS2 >> 48) & 0xFF) << 48) | \ - (((RS2 >> 8) & 0xFF) << 40) | (((RS1 >> 32) & 0xFF) << 32) | \ - (((RS2 >> 56) & 0xFF) << 24) | (((RS2 >> 16) & 0xFF) << 16) | \ - (((RS1 >> 40) & 0xFF) << 8) | (((RS1 >> 0) & 0xFF) << 0)) - -#define AES_INVSHIFROWS_LO(RS1, RS2) ( \ - (((RS2 >> 24) & 0xFF) << 56) | (((RS2 >> 48) & 0xFF) << 48) | \ - (((RS1 >> 8) & 0xFF) << 40) | (((RS1 >> 32) & 0xFF) << 32) | \ - (((RS1 >> 56) & 0xFF) << 24) | (((RS2 >> 16) & 0xFF) << 16) | \ - (((RS2 >> 40) & 0xFF) << 8) | (((RS1 >> 0) & 0xFF) << 0)) - -#define AES_MIXBYTE(COL, B0, B1, B2, B3) ( \ - BY(COL, B3) ^ BY(COL, B2) ^ AES_GFMUL(BY(COL, B1), 3) ^ \ - AES_GFMUL(BY(COL, B0), 2)) - -#define AES_MIXCOLUMN(COL) ( \ - AES_MIXBYTE(COL, 3, 0, 1, 2) << 24 | \ - AES_MIXBYTE(COL, 2, 3, 0, 1) << 16 | \ - AES_MIXBYTE(COL, 1, 2, 3, 0) << 8 | AES_MIXBYTE(COL, 0, 1, 2, 3) << 0) - -#define AES_INVMIXBYTE(COL, B0, B1, B2, B3) ( \ - AES_GFMUL(BY(COL, B3), 0x9) ^ AES_GFMUL(BY(COL, B2), 0xd) ^ \ - AES_GFMUL(BY(COL, B1), 0xb) ^ AES_GFMUL(BY(COL, B0), 0xe)) - -#define AES_INVMIXCOLUMN(COL) ( \ - AES_INVMIXBYTE(COL, 3, 0, 1, 2) << 24 | \ - AES_INVMIXBYTE(COL, 2, 3, 0, 1) << 16 | \ - AES_INVMIXBYTE(COL, 1, 2, 3, 0) << 8 | \ - AES_INVMIXBYTE(COL, 0, 1, 2, 3) << 0) - -static inline target_ulong aes64_operation(target_ulong rs1, target_ulong rs2, - bool enc, bool mix) -{ - uint64_t RS1 = rs1; - uint64_t RS2 = rs2; - uint64_t result; - uint64_t temp; - uint32_t col_0; - uint32_t col_1; - - if (enc) { - temp = AES_SHIFROWS_LO(RS1, RS2); - temp = (((uint64_t)AES_sbox[(temp >> 0) & 0xFF] << 0) | - ((uint64_t)AES_sbox[(temp >> 8) & 0xFF] << 8) | - ((uint64_t)AES_sbox[(temp >> 16) & 0xFF] << 16) | - ((uint64_t)AES_sbox[(temp >> 24) & 0xFF] << 24) | - ((uint64_t)AES_sbox[(temp >> 32) & 0xFF] << 32) | - ((uint64_t)AES_sbox[(temp >> 40) & 0xFF] << 40) | - ((uint64_t)AES_sbox[(temp >> 48) & 0xFF] << 48) | - ((uint64_t)AES_sbox[(temp >> 56) & 0xFF] << 56)); - if (mix) { - col_0 = temp & 0xFFFFFFFF; - col_1 = temp >> 32; - - col_0 = AES_MIXCOLUMN(col_0); - col_1 = AES_MIXCOLUMN(col_1); - - result = ((uint64_t)col_1 << 32) | col_0; - } else { - result = temp; - } - } else { - temp = AES_INVSHIFROWS_LO(RS1, RS2); - temp = (((uint64_t)AES_isbox[(temp >> 0) & 0xFF] << 0) | - ((uint64_t)AES_isbox[(temp >> 8) & 0xFF] << 8) | - ((uint64_t)AES_isbox[(temp >> 16) & 0xFF] << 16) | - ((uint64_t)AES_isbox[(temp >> 24) & 0xFF] << 24) | - ((uint64_t)AES_isbox[(temp >> 32) & 0xFF] << 32) | - ((uint64_t)AES_isbox[(temp >> 40) & 0xFF] << 40) | - ((uint64_t)AES_isbox[(temp >> 48) & 0xFF] << 48) | - ((uint64_t)AES_isbox[(temp >> 56) & 0xFF] << 56)); - if (mix) { - col_0 = temp & 0xFFFFFFFF; - col_1 = temp >> 32; - - col_0 = AES_INVMIXCOLUMN(col_0); - col_1 = AES_INVMIXCOLUMN(col_1); - - result = ((uint64_t)col_1 << 32) | col_0; - } else { - result = temp; - } - } - - return result; -} +static const AESState aes_zero = { }; target_ulong HELPER(aes64esm)(target_ulong rs1, target_ulong rs2) { - return aes64_operation(rs1, rs2, true, true); + AESState t; + + t.d[HOST_BIG_ENDIAN] = rs1; + t.d[!HOST_BIG_ENDIAN] = rs2; + aesenc_SB_SR_MC_AK(&t, &t, &aes_zero, false); + return t.d[HOST_BIG_ENDIAN]; } target_ulong HELPER(aes64es)(target_ulong rs1, target_ulong rs2) { - return aes64_operation(rs1, rs2, true, false); + AESState t; + + t.d[HOST_BIG_ENDIAN] = rs1; + t.d[!HOST_BIG_ENDIAN] = rs2; + aesenc_SB_SR_AK(&t, &t, &aes_zero, false); + return t.d[HOST_BIG_ENDIAN]; } target_ulong HELPER(aes64ds)(target_ulong rs1, target_ulong rs2) { - return aes64_operation(rs1, rs2, false, false); + AESState t; + + t.d[HOST_BIG_ENDIAN] = rs1; + t.d[!HOST_BIG_ENDIAN] = rs2; + aesdec_ISB_ISR_AK(&t, &t, &aes_zero, false); + return t.d[HOST_BIG_ENDIAN]; } target_ulong HELPER(aes64dsm)(target_ulong rs1, target_ulong rs2) { - return aes64_operation(rs1, rs2, false, true); + AESState t, z = { }; + + /* + * This instruction does not include a round key, + * so supply a zero to our primitive. + */ + t.d[HOST_BIG_ENDIAN] = rs1; + t.d[!HOST_BIG_ENDIAN] = rs2; + aesdec_ISB_ISR_IMC_AK(&t, &t, &z, false); + return t.d[HOST_BIG_ENDIAN]; } target_ulong HELPER(aes64ks2)(target_ulong rs1, target_ulong rs2) @@ -259,17 +196,12 @@ target_ulong HELPER(aes64ks1i)(target_ulong rs1, target_ulong rnum) target_ulong HELPER(aes64im)(target_ulong rs1) { - uint64_t RS1 = rs1; - uint32_t col_0 = RS1 & 0xFFFFFFFF; - uint32_t col_1 = RS1 >> 32; - target_ulong result; - - col_0 = AES_INVMIXCOLUMN(col_0); - col_1 = AES_INVMIXCOLUMN(col_1); + AESState t; - result = ((uint64_t)col_1 << 32) | col_0; - - return result; + t.d[HOST_BIG_ENDIAN] = rs1; + t.d[!HOST_BIG_ENDIAN] = 0; + aesdec_IMC(&t, &t, false); + return t.d[HOST_BIG_ENDIAN]; } target_ulong HELPER(sm4ed)(target_ulong rs1, target_ulong rs2, |